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Abstract 


We present dynamic I/O automata (DIOA), a compositional model of dynamic systems, based on I/O 
automata. In our model, automata can be created and destroyed dynamically, as computation proceeds. 
In addition, an automaton can dynamically change its signature, that is, the set of actions in which it 
can participate. This allows us to model mobility, by enforcing the constraint that only automata at the 
same location may synchronize on common actions. 

Our model features operators for parallel composition, action hiding, and action renaming. It also 
features a notion of automaton creation, and a notion of trace inclusion from one dynamic system to 
another, which can be used to prove that one system implements the other. Our model is hierarchical: 
a dynamically changing system of interacting automata is itself modeled as a single automaton that is 
“one level higher.” This can be repeated, so that an automaton that represents such a dynamic system 
can itself be created and destroyed. We can thus model the addition and removal of entire subsystems 
with a single action. 

We establish fundamental compositionality results for DIOA: if one component is replaced by another 
whose traces are a subset of the former, then the set of traces of the system as a whole can only be reduced, 
and not increased, i.e., no new behaviors are added. That is, parallel composition, action hiding, and 
action renaming, are all monotonic with respect to trace inclusion. We also show that, under certain 
technical conditions, automaton creation is monotonic with respect to trace inclusion: if a system creates 
automaton A; instead of (previously) creating automaton A‘, and the traces of A; are a subset of the 
traces of A‘, then the set of traces of the overall system is possibly reduced, but not increased. Our 
trace inclusion results imply that trace equivalence is a congruence relation with respect to parallel 
composition, action hiding, and action renaming. 

Our trace inclusion results enable a design and refinement methodology based solely on the notion of 
externally visible behavior, and which is therefore independent of specific methods of establishing trace 
inclusion. It permits the refinement of components and subsystems in isolation from the entire system, 
and provides more flexibility in refinement than a methodology which is, for example, based on the 
monotonicity of forward simulation with respect to parallel composition. In the latter, every automaton 
must be refined using forward simulation, whereas in our framework different automata can be refined 
using different methods. 

The DIOA model was defined to support the analysis of mobile agent systems, in a joint project with 
researchers at Nippon Telegraph and Telephone. It can also be used for other forms of dynamic systems, 
such as systems described by means of object-oriented programs, and systems containing services with 
changing access permissions. 
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1 Introduction 


Many modern distributed systems are dynamic: they involve changing sets of components, which are created 
and destroyed as computation proceeds, and changing capabilities for existing components. For example, 
programs written in object-oriented languages such as Java involve objects that create new objects as needed, 
and create new references to existing objects. Mobile agent systems involve agents that create and destroy 
other agents, travel to different network locations, and transfer communication capabilities. 


To describe and analyze such distributed systems rigorously, one needs an appropriate mathematical founda- 
tion: a state-machine-based framework that allows modeling of individual components and their interactions 
and changes. The framework should admit standard modeling methods such as parallel composition and 
levels of abstraction, and standard proof methods such as invariants and simulation relations. As dynamic 
systems are even more complex than static distributed systems, the development of practical techniques for 
specification and reasoning is imperative. For static distributed systems and concurrent programs, compo- 
sitional reasoning is proposed as a means of reducing the proof burden: reason about small components and 
subsystems as much as possible, and about the large global system as little as possible. For dynamic systems, 
compositional reasoning is a priori necessary, since the environment in which dynamic software components 
(e.g., software agents) operate is continuously changing. For example, given a software agent B, suppose we 
then refine B to generate a new agent A, and we prove that A’s externally visible behaviors are a subset 
of B’s. We would like to then conclude that replacing B by A, within any environment does not introduce 
new, and possibly erroneous, behaviors. 


One issue that arises in systems where components can be created dynamically is that of clones. Suppose 
that a particular component is created twice, in succession. In general, this can result in the creation of two 
(or more) indistinguishable copies of the component, known as clones. We make the fundamental assumption 
in our model that this situation does not arise: components can always be distinguished, for example, by a 
logical timestamp at the time of creation. This absence of clones assumption does not preclude reasoning 
about situations in which an automaton A; cannot be distinguished from another automaton Az by the other 
automata in the system. This could occur, for example, due to a malicious host which “replicates” agents 
that visit it. We distinguish between such replicas at the meta-theoretic level by assigning unique identifiers 
to each. These identifiers are not available to the other automata in the system, which remain unable to 
tell A, and A» apart, for example in the sense of the “knowledge” [16] about A, and A» which the other 
automata possess. 


Static mathematical models like I/O automata [23] could be used to model dynamic systems, with the 
addition of some extra structure (special Boolean flags) for modeling dynamic aspects. For example, in 
[24], dynamically-created transactions were modeled as if they existed all along, but were “awakened” upon 
execution of special create actions. However, dynamic behavior has by now become so prevalent that it 
deserves to be modeled directly. The main challenge is to identify a small, simple set of constructs that can 
be used as a basis for describing most interesting dynamic systems. 


In this paper, we present our proposal for such a model: the Dynamic I/O Automaton (DIOA) model. Our 
basic idea is to extend I/O automata with the ability to change their signatures dynamically, and to create 
other I/O automata. We then combine such extended automata into global configurations. Our model 
provides: 


1. parallel composition, action hiding, and action renaming operators; 


2. the ability to dynamically change the signature of an automaton; that is, the set of actions in which 
the automaton can participate; 


3. the ability to create and destroy automata dynamically, as computation proceeds; and 


4. a notion of externally visible behavior based on sets of traces. 


Our notion of externally visible behavior provides a foundation for abstraction, and a notion of behavioral 
subtyping by means of trace inclusion. Dynamically changing signatures allow us to model mobility, by 
enforcing the constraint that only automata at the same location may synchronize on common actions. This 
capability is not present in a static model with extra structure (e.g., boolean flags). Modeling a mobile agent 
in a static setting would be difficult at best, and would result in a contrived and over-complicated model 
(how would you simulate location and signature change?) that would lose the benefits of simple and direct 
representation that our model affords. 


Our model is hierarchical: a dynamically changing system of interacting automata is itself modeled as a 
single automaton that is “one level higher.” This can be repeated, so that an automaton that represents 
such a dynamic system can itself be created and destroyed. This allows us to model the addition and removal 
of entire subsystems with a single action. This would also be quite difficult to represent naturally in a static 
model. 


As in I/O automata [23, 22], there are three kinds of actions: input, output, and internal. A trace of an 
execution results by removing all states and internal actions. We use the set of traces of an automaton 
as our notion of external behavior. We show that parallel composition is monotonic with respect to trace 
inclusion: if we have two systems A = Aj || --- || Aj || -+ || An and A’ = A, || --- || Aj || -+ || An consisting 
of n automata, executing in parallel, then if the traces of A; are a subset of the traces of A; (which it 
“replaces” ), then the traces of A are a subset of the traces of A’. We also show that action hiding (convert 
output actions to internal actions) and action renaming (change action names using an injective map) are 
monotonic with respect to trace inclusion, and, finally, we show that, if we have a system X in which an 
automaton A is created, and a system Y in which an automaton B is created “instead of A”, and if the 
traces of A are a subset of the traces of B, then the traces of X will be a subset of the traces of Y, but only 
under certain conditions. Specifically, in the system Y, the creation of automaton B at some point must 
be correlated with the finite trace of Y up to that point. Otherwise, monotonicity of trace inclusion can be 
violated by having the system X create the replacement A in more contexts than those in which Y creates 
B, resulting in X possessing some traces which are not traces of Y. This phenomenon appears to be inherent 
in situations where the creation of new automata can depend upon global conditions (as in our model) and 
can be independent of the externally visible behavior (trace). Our monotonicity results imply that trace 
equivalence is a congruence with respect to parallel composition, action hiding, and action renaming. 


Our results enable a refinement methodology for dynamic systems that is independent of specific methods of 
establishing trace inclusion. Different automata in the system can be refined using different methods, e.g., 
different simulation relations such as forward simulations or backward simulations, or by using methods not 
based on simulation relations. This provides more flexibility in refinement than a methodology which, for 
example, shows that forward simulation is monotonic with respect to parallel composition, since in the latter 
every automaton must be refined using forward simulation. 


We defined the DIOA model initially to support the analysis of mobile agent systems, in a joint project with 
researchers at Nippon Telephone and Telegraph. Creation and destruction of agents are modeled directly 
within the DIOA model. Other important agent concepts such as changing locations and capabilities are 
described in terms of changing signatures, using additional structure. 


This paper is organized as follows. Section 2 presents signature I/O automata (SIOA), which are I/O 
automata that also have the ability to change their signature, and also defines a parallel composition, action 
hiding, and action renaming operators for them. Section 3 shows that parallel composition of SIOA is 
monotonic with respect to trace inclusion. Section 4 establishes that action hiding and action renaming are 
monotonic with respect to trace inclusion. It also shows that trace equivalence is a congruence with respect 
to parallel composition, action hiding, and action renaming. Section 5 presents configuration automata 
(CA), which have the ability to dynamically create SIOA as execution proceeds. Section 5 also extends the 
parallel composition, action hiding, and action renaming operators to configuration automata, and shows 
that configuration automata inherit the trace monotonicity results of SIOA. Section 6 shows that SIOA 
creation is monotonic with respect to trace inclusion, under certain technical conditions. Section 7 discusses 


how mobility and locations can be modeled in DIOA. Section 8 presents an example: an agent whose purpose 
is to traverse a set of databases in search of a satisfactory airline flight, and to purchase such a flight if it 
finds it. Section 9 discusses related work. Section 10 discusses further research and presents our conclusions. 


2 Signature I/O Automata 


We introduce signature input-output automata (SIOA). We assume the existence of a set Autids of unique 
SIOA identifiers, an underlying universal set Auts of SIOA, and a mapping aut : Autids +> Auts. aut(A) is 
the SIOA with identifier 4. We use “the automaton A” to mean “the SIOA with identifier A”. We use the 
letters A,B, possibly subscripted or primed, for SIOA identifiers. 


The executable actions of an SIOA A are drawn from a signature sig(A)(s) = (in(A)(s), out(A)(s), int(A)(s)), 
called the state signature, which is a function of the current state s. in(A)(s), out(A)(s), int(A)(s) are pair- 
wise disjoint sets of input, output, and internal actions, respectively. We define ext(A)(s), the external 
signature of A in state s, to be ert(A)(s) = (in(A)(s), out(A)(s)). 


For any signature component, generally, the ~ operator yields the union of sets of actions within the signature, 
e.g., sig(A)(s) = in(A)(s) U out(A)(s) U int(A)(s). Also define acts(A) = Usestates(A) sig(A)(s), that is 
acts(A) is the “universal” set of all actions that A could possibly execute, in any state. 


Definition 1 (SIOA) An SIOA aut(A) consists of the following components 


1. A set states(A) of states. 
2. A nonempty set start(A) C states(A) of start states. 


3. A signature mapping sig(A) where for each s € states(A), sig(A)(s) = (in(A)(s), out(A)(s), int(A)(s)), 
where in(A)(s), out(A)(s), int(A)(s) are sets of actions. 


4. A transition relation steps(A) C states(A) x acts(A) x states(A) 
and satisfies the following constraints on those components: 


1. V(s,a,s') € steps(A) : a € sig(A)(s). 


2. Vs € states(A) : Va € in(A)(s), Is’ : (s,a, 8’) € steps(A). 
3. Vs € states(A) : in(A)(s)M out(A)(s) = in(A)(s) O int(A)(s) = out(A)(s) A int(A)(s) = 0. 


Constraint 1 requires that any executed action be in the signature of the initial state of the transition. 
Constraint 2 extends the input enabling requirement of I/O automata to SIOA. Constraint 3 requires that in 
any state, an action cannot be both an input and an output, etc. However, the same action can be an input 
in one state and an output in another. This is in contrast to ordinary I/O automata, where the signature of 
an automaton is fixed once and for all, and cannot vary with the state. Thus, an action is either always an 
input, always an output, or always an internal. 


If (s,a,s’) € steps(A), we also write s—“>,s’. For the sake of brevity, we write states(A) instead of 
states(aut(A)), i.e., the components of an automaton are identified by applying the appropriate selector 
function to the automaton identifier, rather than the automaton itself. 


Definition 2 (Execution, trace of SIOA) An execution fragment a of an SIOA A is a nonempty (finite 


or infinite) sequence s°a's'a?... of alternating states and actions such that (s'~', at, s+) € steps(A) for each 


triple (s‘~', a’, st) occurring in a. Also, a ends in a state if it is finite. An execution of A is an execution 
fragment of A whose first state is in start(A). execs(A) denotes the set of executions of SIOA A. 


Given an execution fragment a = s°a'sta?... of A, the trace of a in A (denoted trace 4(a)) is the sequence 


that results from 


1. remove all a’ such that a’ œ ext(A)(s'!), i.e., a’ is an internal action of A in state s'~!, and then 
2. replace each sê by its external signature ext(A)(s’), and then 


3. replace each maximal block ext(A)(s*),..., eat(A)(s*t*) such that 
(Yj: 0 <j < k: ext(A)(s't?) = ext(A)(s’)) by ext(A)(s*), i.e., replace each maximal block of 
identical external signatures by a single representative. (Note: also applies to an infinite suffix of 
identical signatures, i.e., k = w.) 


Thus, a trace is a sequence of external actions and external signatures that starts with an external signature. 
Also, if the trace is finite, then it ends with an external signature. When the automaton A is understood 
from context, we write simply trace(a). We need to indicate the automaton, since it is possible for two 
automata to have the same executions, but difference traces, e.g., when one results from the other by action 
hiding (see Section 2.2 below). 


Traces are our notion of externally visible behavior. A trace 6 of an execution a exposes the external actions 
along a, and the external signatures of states along a, except that repeated identical external signatures 
along a do not show up in 8. Thus, the external signature of the first state of a, and then all subsequent 
changes to the external signature, are made visible in 3. This includes signature changes caused by internal 
actions, i.e., these signature changes are also made visible. traces(A), the set of traces of an SIOA A, is the 
set {8 | da € execs(A) : 8 = trace(a)}. 


Notation. We write s—“>,s’ iff there exists an execution fragment a of A starting in s and ending in 
s’. If a state s lies along some execution, then we say that s is reachable. Otherwise, s is unreachable. The 
length |a| of a finite execution fragment a is the number of transitions along a. The length of an infinite 
execution fragment is infinite (w). If |a| = 0, then a consists of a single state. When we write, for example, 
0 <i < Jal, it is understood that when a is infinite, that i = |a| does not arise, i.e., we consider only 


finite indices for states and actions along an execution. If execution fragment a = s°a's'a?..., then for 


0 <i < |a|, define al; = s°a'sta?...a’s’, and for 0 < i,j < jal Aj < i, define ja]; = stait! ... a's". 


We define a concatenation operator ~ for execution fragments as follows. If a’ = s°a'sta?...a‘s' is a 
finite execution fragment and a” = t?b!t!b? ... is an execution fragment, then a’ ~ a” is defined to be the 


execution fragment s°a'sta?...a‘t°b!t1b?.... only when sê = t°. If st Æ t?, then a’ ~ a” is undefined. We 


also use a’ ~ (a,s) to mean s°a's'a?...a‘s'as, i.e., we concatenate a transition to the end of a’. Let a,a’ 
be execution fragments. Then a is a proper prefix of a’ iff there exists an execution fragment a” such that 
a=a' a". We write a < a’ in this case. If a < a’ or a = a’, then we write a < a’, and say that a 
is a prefix of a’. We also overload ~ and use it for concatenating traces and parts of traces (i.e., single 


signatures and actions), in the obvious manner. 


Throughout the paper, we will use a superscript, i.e., s, to mean the j’th state along an execution, and we 
will use a subscript, i.e., s;, to mean the state of SIOA A; (e.g., in a parallel composition A = A, || --- || 
A; || -++ || An). When we require both usages, we will use s?, which means the A;-component of the j’th 
state along an execution. For consistency of notation, we also use a superscript, i.e., a’, to mean the j’th 
action along an execution. 


Let [k :4 2 {i|k <i <£}. We use (Qi,r(i) : e(i)) to indicate quantification with quantifier Q, bound 
variable 1, range r(i), and quantified expression e(i). For compactness, we sometimes give the bound variable 
and range as a subscript. 


2.1 Parallel Composition of Signature I/O Automata 


The operation of composing a finite number n of SIOA together gives the technical definition of the idea 
of n SIOA executing concurrently. As with ordinary I/O automata, we require that the signatures of the 
SIOA be compatible, in the usual sense that there are no common outputs, and no internal action of one 
automaton is an action of another. 


Definition 3 (Compatible signatures) Let S be a set of signatures. Then S is compatible iff, for all 
sig E€ S, sig’ E€ S, where sig = (in, out, int), sig’ = (in', out’, int’) and sig 4 sig’, we have: 


1. (in U out U int) N int! = 0, and 


2. outN out’ = Ú. 


Since the signatures of SIOA vary with the state, we require compatibility for all possible combinations of 
states of the automata being composed. Our definition is “conservative” in that it requires compatibility for 
all combinations of states, not just those that are reachable in the execution of the composed automaton. 
This results in significantly simpler and cleaner definitions, and does not detract from the applicability of 
the theory. 


Definition 4 (Compatible SIOA) Let Ai,...,An, be SIOA. Aj,...,An are compatible if and only if 
for every (s1,..., Sn} E€ states(A,) x --- x states(A,), {sig(A1)(s1),..-,5¢9(An)(Sn)} is a compatible set of 
signatures. 


Definition 5 (Composition of Signatures) Let © = (in, out,int) and X! = (in’, out’, int’) be compatible 
signatures. Then we define their composition © x X! = (in U in’ — (out U out’), out U out’, int U int’). 


Signature composition is clearly commutative and associative. We therefore use [| for the n-ary version of x. 
As with I/O automata, SIOA synchronize on same-named actions. To devise a theory that accommodates 
the hierarchical construction of systems, we ensure that the composition of n SIOA is itself an SIOA. 


Definition 6 (Composition of SIOA) Let Aı,..., An, be compatible SIOA. Then A = A, || --- || An is 


the state-machine consisting of the following components: 


1. A set of states states(A) = states( A1) x --- x states(A,). 
2. A set of start states start(A) = start( A1) x --- x start(A,). 


3. A signature mapping sig(A) as follows. For each s = (81,...,5n) € states(A), sig(A)(s) = sig(A1)(s1)x 
+++ X sig(An) (Sn). 


4. A transition relation steps(A) C states(A) x acts(A)x states(A) which is the set of all ((51,...,5n),@, (t1,.-. 


such that 


(a) a € 8ig(Ay)(s1) U...U 8ig(An) (Sn), and 
(b) for alli € [1:n]: if a € sig(A;)(s;), then (s;,a,t;) € steps(A;), otherwise si = ti. 


If s = (51,...,8n) € states(A), then define s!A; = s;, for i € [1 : n]. 


Since our goal is to deal with dynamic systems, we must define the composition of a variable number of SIOA 
at some point. We do this below in Section 5, where we deal with creation and destruction of SIOA. Roughly 
speaking, parallel composition is intended to model the composition of a finite number of large systems, 


for example a local-area network together with all of the attached hosts. Within each system however, an 
unbounded number of new components, for example processes, threads, or software agents, can be created. 
Thus, at any time, there is a finite but unbounded number of components in each system, and a finite, fixed, 
number of “top level” systems. 


Proposition 1 Let A,,..., An, be compatible SIOA. Then A = A, || --- || An is an SIOA. 


Proof: We must show that A satisfies the constraints of Definition 1. We deal with each constraint in turn. 


Constraint 1: Let (s,a,s’) € steps(A). Then, s can be written as (51,..., 5p). From Definition 6, clause 4, 
a € sig(Ai)(s1) U...U sig(An) (Sn) From Definition 6, clause 3, sig(A1)(s1) U...U sig(An) (Sn) = sig(A)(s). 
Hence a € sig(A)(s). 


Constraint 2: Let s € states(A), a € in(A)(s). Then, s can be written as (51,...,5n). From Definition 6, 
clause 3, a € (Uy <jcn #(Ai)(si))— out(A)(s). Hence, there exists p C [1:n] such that Vi € y : a € in(A;)(si), 
) 


and Vi € [1:n] — y: a Z sig(A;)(s;). Since each A; satisfies Constraint 2 of Definition 1, we have: 
Vi € yp: At; : (si a, ti) E€ steps(A;) 


By Definition 6, Clause 4, 
Jt : (s,a,t) € steps(A), where Vi € ọ : thi = ti, and Vi € [1:n] — yp: thi = si. 


Hence Constraint 2 is satisfied. 


Constraint 3: From Definitions 5 and 6, it follows that the sets of input and output actions of A in any state 
are disjoint. Each A; is an SIOA and so satisfies Constraint 3 of Definition 1. From this and Definitions 3, 
4, 5, and 6, it follows that the set of internal actions of A in any state has no action in common with either 
the input actions or the output actions. Hence A satisfies Constraint 3. 


2.2 Action Hiding for Signature I/O Automata 


The operation of action hiding allows us to convert output actions into internal actions, and is useful in 
specifying the set of actions that are to be visible at the interface of a system. 


Definition 7 (Action hiding for SIOA) Let A be an SIOA and X a set of actions. Then A\ È is the 


state-machine given by: 


1. A set of states states(A \ £) = states(A). 
2. A set of start states start(A \ £) = start( A). 


3. A signature mapping sig(A) as follows. For each s € states(A), 
sig( A \ E) (s) = (in(A \ E) (s), out(A \ E)(s), int(A \ X)(s)), where 


(a) out(A\ E)(s) = out(A)(s) — 
(b) in(A\ %)(s) = in(A)(s), and 
(c) int(A \ E)(s) = int(A)(s) U (out(A)(s) NX). 


)U 
4. A transition relation steps(A \ £) = steps(A). 


Proposition 2 Let A be an SIOA and È a set of actions. Then A\ È is an SIOA. 


Proof: We must show that A \ ¥ satisfies the constraints of Definition 1. We deal with each constraint in 
turn. 


Constraint 1: From Definition 7, we have, for any s € states(A\ £): sig(A\%)(s) = (out(A)(s) — £) U 
in(A)(s) U (int(A)(s) U (out(A)(s) O £)) = ((out(A)(s) — £) U (out(A)(s) A £)) U in(A)(s) U int(A)(s) = 
out(A)(s) U in(A)(s) U int(A)(s) = sig(A)(s). 
Since A is an SIOA, we have V(s,a,s’) € steps(A) : a € sig(A)(s). From Definition 7, steps(A\ €) = 
steps(A). Hence, V(s,a,s’) E€ steps(A \ ©): a € sig(A \ %)(s). Thus, Constraint 1 holds for A \ X. 
Constraint 2: From Definition 7, states(A\ x) = states(A), steps(A\ £) = steps(A), and for all s € 
states(A \ £), in(A \ %)(s) = in(A)(s). 
Since A is an SIOA, we have Constraint 2 for A: 

Vs € states(A), Va € in(A)(s), Js’ : (s,a, 5’) E€ steps(A). 


Hence, we also have 
Vs € states(A\ £), Va € in(A \ X)(s), ds’ : (s,a, s") € steps(A \ £). 
Hence Constraint 2 holds for A \ X. 


Constraint 3: A is an SIOA and so satisfies Constraint 3 of Definition 1. Definition 7 states that, in every 
state s, some actions are removed from the output action set and added to the internal action set. Hence 
the sets of input, output, and internal actions remain disjoint. So A \ È also satisfies Constraint 3. 


2.3 Action Renaming for Signature I/O Automata 


The operation of action renaming allows us to rename actions uniformly, that is, all occurrences of an action 
name are replaced by another action name, and the mapping is also one-to-one, so that different actions are 
not identified (mapped to the same action). This is useful in defining “parameterized” systems, in which 
there are many instances of a “generic” component, all of which have similar functionality. Examples of this 
include the servers in a client-server system, the components of a distributed database system, and hosts in 
a network. 


Definition 8 (Action renaming for SIOA) Let A be an SIOA and let p be an injective mapping from 
actions to actions whose domain includes acts(A). Then p(A) is the state machine given by: 


1. start(p(A)) = start(A). 
2. states(p(A)) = states(A). 


3. for each s € states(A), sig 


(p(A))( 
(a) out(p(A))(s) = p(out(A)(s)), 
(b) in(p(A))(s) = plin(A) 

(c) int(p(A))(s) = plint(A)(s)). 


4. A transition relation steps(p(A)) = {(s, p(a),t) | (s,a,t) E€ steps(A)}. 
Here we write p(X) = {p(a) | a € £}, i.e., we extend p to sets of actions element-wise. 


Proposition 3 Let A be an SIOA and let p be an injective mapping from actions to actions whose domain 
includes acts(A). Then, p(A) is an SIOA. 


Proof: We must show that p(A) satisfies the constraints of Definition 1. We deal with each constraint in 
turn. 


Constraint 1: From Definition 8, we have, for any s € states(p(A)): sig(p(A))(s) = out(p(A))(s)Uin(p(A))(s)U 
int(p(A))(s) = plout(A)(s)) U plin(A)(s)) U plint(A)(s)) = p(sig(A)(s)). 

Since A is an SIOA, we have V(s,a,s’) € steps(A) : a € sig(A)(s). From Definition 8, steps(p(A)) = 
{(s, o(a), t) | (8,4, 4) € steps(A)} 


Hence, if (s, p(a),t) is an arbitrary element of steps(p(A)), then (s,a,t) € steps(A), and so a € sig(A)(s). 


Hence p(a) € p(sig(A)(s)). Since p(sig(A)(s)) = sig(o(A))(s), we conclude p(a) € sig(p(A))(s). Hence, 
V(s, pla), s") € steps(p(A)) : pla) € sig(p(A))(s). Thus, Constraint 1 holds for p(A). 


Constraint 2: From Definition 8, states(p(A)) = states(A), steps(p(A)) = {(s, pla), t) | (s,a,t) E€ steps(A)}, 
and for all s € states(p(A)), in(p(A))(s) = p(in(A)(s)). 


Let s be any state of p(A), and let b € in(p(A))(s). Then b = p(a) for some a € in(A)(s). We have (s, a, t) 
steps(A) for some t, by Constraint 2 for A. Hence (s, p(a),t) E€ steps(p(A)). Hence (s,b,t) € steps(p(A)). 
Hence Constraint 2 holds for p(A). 


Constraint 3: A is an SIOA and so satisfies Constraint 3 of Definition 1. From this and Definition 8 and the 
requirement that p be injective, it is easy to see that p(A) also satisfies Constraint 3. 


2.4 Example: mobile phones 
We illustrate SIOA using the mobile phone example from Milner [26, chapter 8]. There are four SIOA: 


1. Car: a car containing a mobile phone 
2. Trans1, Trans2: two transmitter stations 


3. Control: a control station 


Control, Trans1, and Car are given in Figures 1, 2, and 3 respectively. Trans2 results by applying renaming 
to Trans1, and changing the initial state appropriately, since initially Car is communicating with Trans1. 


We use the usual I/O automata “precondition effect” pseudocode [22], augmented by additional constructs 


to describe signature changes and SIOA creation, as follows. We use “state variables” in, out, and int to 
denote the current sets of input, output, and internal actions in the SIOA state signature. The Signature 
section of the pseudocode for each SIOA describes acts(A), i.e., the “universal” set of all actions that A could 
possibly execute, in any state. We partition this description into the input, output, and internal components 
of the signature. We indicate the signature components in every start state using an “initially” keyword at 
the end of the “Input,” “Output,” and “Internal” sections, followed by the actions present in the signature 
of every start state. This convention restricts all start states to have the same signature. We emphasize 
that this is a restriction of the pseudocode only, and not of the underlying SIOA model. When a signature 
component does not change, we replace the keyword “initially” by the keyword “constant” as a convenient 
reminder of this. 


At any time, Car is connected to either Trans! or Trans2. Normal conversation is conducted using a talk 
action. Under direction of Control (via lose and gain actions) the transmitters transfer Car between them, 
using switch actions. Upon receiving a lose input from Control, a transmitter goes on to send a switch to Car, 
and also removes the talk and switch actions from its signature. Upon receiving a switch from a transmitter, 
Car will remove the talk and switch actions for that transmitter from its signature, and add the talk and 
switch actions for the other transmitter to its signature. 


Control 


Signature 


Input: 
0 
constant 
Output: 
lose,, gain, , lose2, gaino 
constant 
Internal: 


0 


constant 
State 
assigned € {1,2}, transmitter that Car is assigned to, initially 1 


transferring € {true, false}, true iff in the middle of a transfer of Car from one transmitter to another, initially false 


Actions 
Output lose; Output loseg 
Pre: assigned = 1 A atransferring Pre: assigned = 2 A atransferring 
Eff: assigned + 2; Eff: assigned + 1; 
transferring < true transferring + true 
Output gain, Output gain, 
Pre: assigned = 1 A transferring Pre: assigned = 1 A transferring 
Eff: transferring + false Eff: transferring + false 
Figure 1: The Control SIOA 
Trans1 
Signature 
Input: 
lose,, gain,, talk, initially: lose;, gain,, talk; 
Output: 
switch, initially: switch, 
Internal: 
0 
constant 
State 


transferring € {true, false}, true iff in the middle of a transfer of Car to the other controller 


active € {true, false}, true iff this transmitter is currently handling the Car, initially false 


Actions 

Input lose; Output switch; 

Eff: if active then Pre: transferring 
transferring < true; Eff: transferring < false; 
active + false in + in — {talkı }; 

out + out — {switch, } 
Input gain, 
Eff: in + in U {talk}; Input talk; 
out + out U {switch, }; Eff: skip 


active + true 


Figure 2: The Trans? SIOA 


Car 


Signature 
Input: 

switch, switche initially: switch, 
Output: 

talky, talka initially: talk, 
Internal: 

) 


constant 


State 


transmitter € {1,2}, the identity of the transmitter that Car is currently connected to 


Actions 


Output talk; Output talk 
Pre: transmitter = 1 Pre: transmitter = 2 
Eff: skip Eff: skip 


Input switch; Input switch2 
Eff: in < in — {switch} U {switchs }; Eff: in < in — {switchg} U {switch; }; 
out + out — {talkı } U {talko}; out < out — {talk2} U {talkı }; 


Figure 3: The Car SIOA 


3 Compositional Reasoning for Signature I/O Automata 


To confirm that our model provides a reasonable notion of concurrent composition, which has expected 
properties, and to enable compositional reasoning, we establish execution “projection” and “pasting” results 
for compositions. We deal with both execution projection/pasting and with trace pasting. The main goal is 
to establish that parallel composition is monotonic with respect to trace inclusion: if an SIOA in a parallel 
composition is replaced by one with less traces, then the overall composition cannot have more traces than 
before, i.e., no new behaviors are added. 


3.1 Execution Projection and Pasting for SIOA 


Given a parallel composition A = A; || --- || A, of n SIOA, we define the projection of an alternating 
sequence of states and actions of A onto one of the Aj, i € [1 : n], in the usual way: the state components 
for all SIOA other than A; are removed, and so are all actions in which A; does not participate. 


Definition 9 (Execution projection for SIOA) Let A = Aj, ||--- || An be an SIOA. Let a be a sequence 
s9atsta?s?...5)-laJs) ... where Vj > 0,57 = (s/,..., 84) € states(A) and Yj > 0,a’ € sig(A)(s?—1). Then, 


fori €[1:n], define alA; to be the sequence resulting from: 


1. replacing each sî by its i’th component s, and then 


2. removing all ais) such that af ¢ sig(A;)(s?~'). 


sÍ is the component of sî which gives the state of A;. sig(A;)(s?~') is the signature of A; when in state 


s)~'. Thus, if a? ¢ sig(A;)(s?~'), then the action af does not occur in the signature sig(A;)(s?~'), and 
A; does not participate in the execution of af. In this case, af and the following state are removed from 


the projection, since the idea behind execution projection is to retain only the state of A;, and only the 
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actions which A; participates in. Note that we do not require a to actually be an execution of A, since this 
is unnecessary for the definition, and also facilitates the statement of execution pasting below. 


Our execution projection result states that the projection of an execution of a composed SIOA A = A; || 
-++ || A, onto a component A;, is an execution of Aj. 


Theorem 4 (Execution projection for SIOA) Let A = A; || --- || An be an SIOA, and let i € [1:n]. If 
a € execs(A) then al A; € execs(A;) for all i € [1:n]. 


Proof: Let a = u°atula?u?... € erecs(A), and let s° = u°[A;. Then, by Definition 9, s° € start(A;) and 
al A; = s°b's'b?s?.... for some b's'b?s?..., where s € states(A;) for j > 1. 


Consider an arbitrary step (s’~1, b’, s1) of a! Aj. Since b/s? was not removed in Clause 2 of Definition 9, we 
have 
(1) si = uf ]A; for some k > 0 and such that a € sig(A;)(u*-![Aj) 
(2) b = a", and 
(3) s)-1 = uf lA; for the smallest £ such that 
€<kandVm:l+1<m<k:a™ g sig(A;)(u™—A,) 


b k 
From (3) and Definitions 6 and 9, uf lA; = utt] A;. Hence s-! = utt] A;. From u*-!45,u*, af € 


~ k y 7 x A 
sig(A;)(u*—1[A;), and Definition 6, we have u’—![A; “+4, u! lA;. Hence sî! Ba s? from s)—! = uT! |A; 
established above and (1), (2). Now s’~!, s? € states(A;), and so (s/~1, b’, 57) € steps(A;). 


Since (s?~1, b, s) was arbitrarily chosen, we conclude that every step of al A; is a step of A;. Since the first 
state of aA; is s°, and s° € start(A;), we have established that al A; is an execution of Aj. 


Execution pasting is, roughly, an “inverse” of projection. If œ is an alternating sequence of states and 
actions of a composed SIOA A = A, || --- || An such that (1) the projection of a onto each A; is an actual 
execution of A;, and (2) every action of a not involving A; does not change the state of A;, then a will be an 
actual execution of A. Condition (1) is the “inverse” of execution projection. Condition (2) is a consistency 
condition which requires that A; cannot “spuriously” change its state when an action not in the current 
signature of A; is executed. 


Theorem 5 (Execution pasting for SIOA) Let A = A; || --- || An be an SIOA. Let a be a sequence 
s°a's!a*s?...5I~1aI5)... where Vj > 0,57 = (s/,...,57) € states(A) and Vj > 0,a? € sig(A)(s!~1). 
Furthermore, suppose that, for alli € [1:n]: 


1. al A; € execs(A;), and 
2Vj>0:ifa g sig(A;)(s?*) then ae =, 
Then, a € execs(A). 


Proof: We shall establish, by induction on 7: 
Vj > 0: al; € execs(A). Ce) 
From which we can conclude s° € start(A) and Vj > 0: (s’~', a’, sf) € steps(A). Definition 2 then implies 


the desired conclusion, a € execs(A). 


Base case: j = 0. 
So al; = 8°. Now s° = (s?,..., 89) by assumption. By Definition 9, s? is the first state of al Aj, for 1 <i < n. 


By clause 1, al A; € erecs(A;), and so s? € start(A;), for 1 < i < n. Thus, by Definition 6, s? € start(A). 
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Induction step: j > 0. 
Assume the induction hypothesis: 


a|;—1 E€ execs(A) (ind. hyp.) 
and establish a|; € execs(A). By Definition 2, it is clearly sufficient to establish si~ t a 4 gi 


By assumption, a? € sig(A)(s?~1). Let y C [1:n] be the unique set such that Vi € y : af € sig(A;)(s?11 A) 
and Vi € [1:n] — ọ : af g sig(A;)(s?—'[A;). Thus, by Definition 9: 
Vi € y: (s!~'TAj, af, si| A;) lies along al Aj. 
Since Vi € [1:n] : aA; € execs(A;) and A; is an SIOA, 
Yiey:s TA; Sth si| Aj. 
Also, by clause 2, 


By Definition 6 


Hence 


er 
gil yy 3f, 


i 
From the induction hypothesis (a|;—1 € execs(A)), s7~! “+4 s/, and Definition 2, we have al; € erecs(A). 


3.2 Trace Pasting for SIOA 


We deal only with trace pasting, and not trace projection. Trace projection is not well-defined since a trace 
of A = A, || --- || An does not contain information about the A;,i € [1 : n]. Since the external signatures 
of each A; vary, there is no way of determining, from a trace 8, which A; participate in each action along 
8. Thus, the projection of 6 onto some A; cannot be recovered from @ itself, but only from an execution 
a whose trace is 8. Since there are in general, several such executions, the projection of 8 onto A; can be 
different, depending on which execution we select. Hence, the projection of 8 onto A; is not well-defined as a 
single trace. It could be defined as the set BA; = {8; | (Ga € execs(A) : trace(a) = B A Bi = trace(alA;))}, 
i.e., all traces of A; that can be generated by taking all executions a whose trace is 3, projecting those 
executions onto A;, and then taking the trace. We do not pursue this avenue here. 


We find it sufficient to deal only with trace pasting, since we are able to establish our main result, trace 
substitutivity, which states that replacing an SIOA in a parallel composition by one whose traces are a 
subset of the former’s, results in a parallel composition whose traces are a subset of the original parallel 
composition’s. In other words, trace-containment is monotonic with respect to parallel composition. 


Let © = (in, out, int) and X’ = (in’, out’, int’) be signatures. We define © = in U out U int, and © C Y to 
mean in C in’ and out C out’ and int C int’. 


Definition 10 (Pretrace) A pretrace y = y(1)7(2)... is a nonempty sequence such that 


1. For alli > 1, y(i) is an external signature or an action 
2. y(1) is an external signature 
3. No two successive elements of y are actions 


4. For alli > 1, if y(i) is an action a, then y(i — 1) is an external signature containing a (a € Y(t — 1)) 
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5. Ify is finite, then it ends in an external signature 


The notion of a pretrace is similar to that of a trace, but it permits “stuttering”: the (possibly infinite) 
repetition of the same external signature. This simplifies the subsequent proofs, since it allows us to “stretch” 
and “compress” pretraces corresponding to different SIOA so that they “line up” nicely. Our definition of 
a pretrace does not depend on a particular SIOA, i.e, we have not defined “a pretrace of an SIOA A,” but 
rather just a pretrace in general. We define “pretrace of an SIOA A” below. 


Definition 11 (Reduction of pretrace to a trace) Let y be a pretrace. Then r(y) is the result of re- 
placing all maximal blocks of identical external signatures in y by a single representative. In particular, if 
y has an infinite suffix consisting of repetitions of an external signature, then that is replaced by a single 
representative. 


If y = r(y), then we say that 7 is a trace. This defines a notion of trace in general, as opposed to “trace 
of an SIOA A.” We now define stuttering-equivalence (~) for pre-traces. Essentially, if one pretrace can be 
obtained from another by adding and/or removing repeated external signatures, then they are stuttering 
equivalent. 


Definition 12 (x) Let y,7 be pretraces. Then y x ¥ iff r(y) =r). 


It is obvious that ~ is an equivalence relation. Note that every trace is also a pretrace, but not necessarily 
vice-versa, since repeated external signatures (stuttering) are disallowed in traces. The length |y] of a finite 
pretrace y is the number of occurrences of external signatures and actions in y. The length of an infinite 
pretrace is w. Let pretrace y = y(1)y(2).... Then for 1 < i < |y], define yli = y(1)y(2)... y(i). We 
define concatenation for pretraces as simply sequence concatenation, and will usually use juxtaposition to 
denote pretrace concatenation, but will sometimes use the — operator for clarity. The concatenation of two 
pretraces is always a pretrace (note that this is not true of traces, since concatenating two traces can result 
in a repeated external signature). We use <,< for proper prefix, prefix, respectively, of a pretrace: y < 7 
iff there exists a pretrace y” such that y = 7/7", and y < 7 iffy = 7 or y < 7’. If 7 is a pretrace and 
y <7, then y satisfies clauses 1-4 of Definition 10, but may not satisfy clause 5. For a finite sequence y 
that does satisfy clauses 1—4 of Definition 10, define the predicate ispretrace(7) £ (last(y) is an external 
signature), where last(y) is the last element of y. 


We now define a predicate zips(y,71,---,9%n) which takes n + 1 pretraces and holds when y is a possible 
result of “zipping” up 71,---, Yn, as would result when 71,..., Yn are pretraces of compatible SIOA Aj,..., An 
respectively, and y is the corresponding pretrace of A = A, || --- || An. 


Definition 13 (zip of pretraces) Let y, 71,.--,%n be pretraces (n > 1). The predicate 
zips(Y, Y1,- --, Yn) holds iff all the following hold: 
1. ll = al == Mal 
2. For alli > 1: if y(i) is an action a, then there exists nonempty pi C [1 : n] such that 
(a) Vk € yi: yk(i) =a, and 
(b) YLE [1:n] — pi: yeli — 1) = yeli) = yeli +1), yeli) is an external signature Ty, and a ¢ Ty. 


3. For alli > 0: if y(i) is an external signature T, then for all j € [1 : n], y;(i) is an external signature 
F; and T = Teta) En 


4. For alli > 0, if y(i — 1) and y(i) are both external signatures, then there exists k € [1 : n] such that 
VLE fl:n]-— k: ye(t — 1) = yli). 
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Clause 1 requires that y,71,...,Yn all have the same length, so that they “line up” nicely. Clause 2 requires 
that external actions a appearing in y are executed by a nonempty subset of the corresponding SIOA, and 
that the y; corresponding to automata that do not execute a are unchanged in the corresponding positions. 
Clause 3 requires that an external signature appearing in y is the product of the external signatures in the 
same position in all the yj, which moreover cannot have an external action at that position. Clause 4 requires 
that, whenever there are two consecutive external signatures in y, that this corresponds to the execution of 
an internal action by one particular SIOA k, so that the yọ for all £4 k are unchanged in the corresponding 
positions. 


Proposition 6 Let y, V1,..-,Yn all be pretraces (n > 1). Suppose, zips(y,71,---;Yn). Then, for alli such 
that 1 < i < |y| and ispretrace(y|;) (i.e., y(i) is an external signature): (1) (Vj € [L:n] : ispretrace(y;|:)), 
and (2) zips(ylas Vilas cee Ynli)- 


Proof: Immediate from Definition 13. 


We use the zips predicate on pretraces together with the ~ relation on pretraces to define a “zipping” 
predicate for traces: the trace 8 is a possible result of “zipping up” the traces ĝ1,...,Bn if there exist 
pretraces y, Y1,---;Yn that are stuttering-equivalent to 6, 81,..., Bn respectively, and for which the zips 
predicate holds. The predicate so defined is named zip. Thus, zips is “zipping with stuttering,” as applied 
to pretraces, and zip is “zipping without stuttering,” as applied to traces. 


Definition 14 (zip of traces) Let 8, 64,...,8n be traces (n > 1). The predicate 
zip(B, B1,...,Bn) holds iff there exist pretraces y, 1,.--, Yn such that y = B, (Vj € [1 : n]: y & 8i) 
and zips(7, Yis- a): 


Define pretraces( A) = {y | 38 € traces(A) : B8 ~ y}. That is, pretraces(A) is the set of pretraces which 
are stuttering-equivalent to some trace of A. An equivalent definition which is sometimes more conve- 
nient is pretraces(A) = {y | da € execs(A) : trace(a) ~ y}. We also define pretraces*(A) = {y | y € 
pretraces( A) and y is finite }. 


Given y € pretraces(A), we define terecs(A)(y) = {a | a € ezecs(A) A trace(a) ~ y}. In other words, 
texecs(A)(y) is the set of executions (possibly empty) of A whose trace is stuttering-equivalent to y. Also, 
execs*(A)(y) = {a | a € execs*(A) A trace(a) ~ y}, i.e., the set of finite executions (possibly empty) of A 
whose trace is stuttering-equivalent to y. 


Theorem 7 states that if a set of finite pretraces consisting of one y; € pretraces( A;) for each j € [1 : n], can 
be “zipped up” to generate a finite pretrace y, then y is a pretrace of A; || --- || An, and furthermore, any 
set of executions corresponding to the yj can be pasted together to generate an execution of Aj || --- || An 
corresponding to y. Theorem 7 is established by induction on the length of y, and the explicit use of 
executions corresponding to the pretraces 7, 71,---, Yn, is needed to make the induction go through. 


Theorem 7 (Finite-pretrace pasting for SIOA) Let Aı,..., An be compatible SIOA, and let A = A, || 
-e || An. Let y be a finite pretrace. If, for all j € [1 : n], a finite pretrace yj E€ pretraces*(A,;) can be chosen 
so that zips(7,71,---;Yn) holds, then 


Vax E execs*(A1)(V1),---, Van E execs*(An)(Yn), 
da € execs*(A)(y) : (Vj € [1:n] : alA; = aj). 


Proof: Let 7; € pretraces*(A,) for j € [1 : n] be the pretraces given by the antecedent of the theorem. Also 
let y be the finite pretrace such that zips(7,71,..-,Y%n)- Hence execs*(A;)(y;) Æ 0 for all j € [1 : n]. Fix a; 
to be an arbitrary element of execs*(Aj;)(7;), for all j € [1 : n]. The theorem is established if we prove 


Ja € execs*(A)(y) : (Vj € [1:n] : alA; = aj). (*) 
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The proof is by induction on |y], the length of y. We assume the induction hypothesis for all prefixes of y 
that are pretraces. 


Base case: |y| = 1. Hence y consists of a single external signature I. For the rest of the base case, let j 
range over [1 : n]. By zips(7,71,---,%m) and Definition 13, we have that each y; consists of a single external 
signature Ij, and I = Ijen: Tj. Since 71,..., Yn contain no actions, &1,...,@n must contain only internal 
actions (if any). Furthermore, all the states along aj, j € [1 : n], must have the same external signature, 
namely T}. 


By Definition 6, we can construct an execution a of A by first executing all the internal actions in a, (in 
the sequence in which they occur in a1), and then executing all the internal actions in ag, etc. until we 
have executed all the actions of an, in sequence. It immediately follows, by Definition 9, that Vj € [1 : n] : 
al A; = aj. The external signature of every state along a is Ijen: Ij, i.e., I, since the external signature 
component contributed by each A; is always T}. Hence, by Definition 2, trace(a) ~ T. Thus, trace(a) ~% y. 
We have thus established trace(a) ~ y and (Njep:n] al A; = aj). Hence (*) is established. 

Induction step: |y| > 1. There are two cases to consider, according to Definition 13. 


Case 1: y = y'aľ, 7’ is a pretrace, a is an action, and I is an external signature. 
Hence, by Definition 13, we have 
Ap: 0DAypAGCI[I:n] A 

(VE CG: Yk = Walp A a E last(y4)) A 

(VEE [Li nJ—piye = yr AT e = lastly) Na g Ty) A 

zips (Y, Vis- Mn) A 

r= Mkeg Tx) x TLeepinj—o Pe). (a) 
For the rest of this case, let j range over [1 : n], k range over vy, and @ range over [1 : n] — y. Figure 4 
gives a diagram of the relevant executions, pretraces, and external signatures for this case. Horizontal solid 
lines indicate executions and pretraces, and vertical dashed ones indicate the zips relation. Bullets indicate 
particular states that are used in the proof. 


In (a), we have that y; € pretraces*(A;) for all j, since y; < yj and qj € pretraces*(A;) for all j, Since we 
also have y’ < y and zips(y’,7},---,7),), we can apply the inductive hypothesis for 7’ to obtain 

Vaj E execs*(A1)(7}),---, Vay, E execs*(An)(9,) : 
da! € execs*(A)(7’) : (Vj € [L:n] : a TA; = a4) (b) 


By assumption, a; E€ execs*(A,)(7,). Hence, we can find a finite execution aj,, and finite execution fragment 


a! such that a, = a, œ (sk — A, tk) ` aif, where sp = last(a‘,), ezt(Ap)(tk) = Tk, and tp = first(ait). 
Furthermore, aj, € execs*(Ax)(7j,), Since ap E execs*(Ax) (Ye), Yk = Valk, and ext(A,) (th) =Ty. Also, aff 
consists entirely of internal actions, and trace(a/) ~ Tx, i.e., every state along a has external signature T',. 


By assumption, ag E execs*(Ag)(ye). For all £, let a, = ae, and let se = te = last(a,). Hence a € 
execs*(Ag)(¥p), since yp © ye (from ye = Yre AT; = last(7/) in (a)). Instantiating (b) for these choices of 
al, a>, we obtain, that some a’ exists such that: 

(Vj € [L:n] : a lA; = a4) A 

a’ € execs*(A)(y') A 

(Vk € yp: (Sx, a, tp) € steps(Ap) A ext(Ax) (te) = Tx). (c) 
By a, E execs*(Ayg)(y;) and sẹ = last(ap), we have ext(Ag)(se) = last(y'). Hence, by (a), we have 
ezt(Ae)(se) =T;. Also, by (a), a g Te. Thus, 

(ve € [1:n] — y :ag ext(Ap)(se) A ext(Ag)(se) =T¢). (d) 
Also, since Ay,...,An are compatible SIOA, we have (V£ € [1:n] — y: a ¢ int(Ag)(sc)). Hence (Vé € [1: 
n|—y:a¢ sig(Ac)(se)). Now let s = (51,...,5n), and let t = (t),...,¢n). By (b) and Definition 9, we have 
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s = last(a’). By (b), (VL € [L:n] — y : a € int(Ag)(s¢)), and Definition 6, we have (s,a,t) € steps(A). Now 
let a” be a finite execution fragment of A constructed as follows. Let t be the first state of a”. Starting 
from t, execute in sequence first all the (internal) transitions along a,,, where kı is some element of y, and 
then all the (internal) transitions along a;,, where kı is another element of y, etc. until all elements of y 
have been exhausted. Since all the transitions are internal, Definition 6 shows that a” is indeed an execution 
fragment of A. Furthermore, since no external signatures change along any of the aj, it follows that the 
external signature does not change along a”, and hence must equal ert(A)(t) at all states along a”. Hence 
trace(a’’) ~ ext(A)(t). Finally, by its construction, we have a/’|A, = a} for all k. 


Let a= a! ~ (s — 4t) a". By the above, a is well defined, and is an execution of A. 


We now have 


ext(A)(t) 

(TI, ext(An)(te)) x (Ce 
(1, Ek) x (J, ert(Ac)(te)) 

= { Tk) x (eT e) 


II 


II 


II 


Also, 


( 
(a!) mnan trace(a”) 
see es m~an ext(A)(t) 


VU UU 
a 
8 


alAk 
= (TAk) ~ (sk >a, tk) > (a TAk) 
= a, aa (sk aA, tk) — (a” Ap) 
= a (8k A, th) Off 


For all £€ [1 : n] — y, 


alAg 
a Ae 
Su 
ae 


II 


definition of t 


definition of a 

trace(a") ~ ext(A)(t) 

ext(A)(t) =T established above 

a’ € execs*(A)(7’), hence trace(a’) = 7 
case condition 


Definition 9 and definition of a 
by (c), a’ [Ay = a, 
by the preceding remarks, a” | Ay = ai 


ws! a 
by definition of aj,, af: ag = ah, © (Sk — A, tk) © at 


Definition 9 and definition of a 
by (c), a’ lA; = a 
by our choice of ah, ag = ap 


We have just established a € execs*(A), alj = a; for all j € [1 : n], and trace(a) ~ y. Hence (*) is 


established for case 1. 


Case 2: y = yT, y is a pretrace, and I is an external signature. 
YSyi, yY 8 


Hence, by Definition 13, we have 
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dk e [lin]: 

Yk = YT k A last(7j,) is an external signature ^ 

(Le [1:n] — k : ye = Wre A lastly) = Te) A 

zips(Y's Vis + -3 Yn) A 

BS EEX Tee tuinj—r Ty). (a) 
For the rest of this case, let j range over [1 : n], and @ range over [1 : n] — k. In (a), we have that 
y; € pretraces*(A;) for all j, since y; < yj and yj € pretraces*(Aj;) for all j. Since we also have 7’ < y and 
zips(Y', Yi,- --;Yh), we can apply the inductive hypothesis for y’ to obtain 

Vai, E execs*(A1)(7}),.--, Var, E ezecs* (An) (74) : 

a! € erecs*(A)(7') : (Vj € [1 : n] : a' TA; = a4) (b) 
By assumption, ag € execs*(Ag)(ye). For all £, let a, = ag, and let sẹ = tẹ = last(a,). Hence ap € 
texecs(Ag)(y;), since yp © ye. 


| 


We now have two subcases. 


Subcase 2.1: Ty = last(y;,). 

Let ap = ax. Since af = ay for all £ € [1 : n] — k, we get al; = a; for all j € [1 : n]. Instantiating (b) for 
these a}, we have the existence of an a’ such that a’ € erecs*(A)(7’) A (Yj € [1:n] : a’ TA; = a’). Now let 
a =a’. Hence trace(a) = trace(a’) ~ 7 since a’ E€ execs*(A)(7’). Figure 5 gives a diagram of the relevant 
executions, pretraces, and external signatures for this case. 


By the case 2 assumption, 7’ is a pretrace, and so last(7’) is an external signature. So, we have 


last(7’) 
= — last(y,) x (II; last()) zips(y', Yi,- --; Yh) and Definition 13 
= last(y,) x To) (a) 
= Tx([[To) subcase assumption 
=l (a) 


By the case assumption, y = yT. Hence y ~% y’. So, trace(a) ~ y. We have just established a € execs(A), 
alA; =a, for all j € [1 : n], and trace(a) ~ y. Hence (*) is established for subcase 2.1. 


Subcase 2.2: Tk A last(y,). 

In this case, we can find a finite execution a/,, and finite execution fragment a% such that a, = a, œ 
(sp — A, tk) ~ aff, where sp = last(a',), ezt(Ap)(tk) = Tk, and ty = first(a//). Figure 6 gives a diagram 
of the relevant executions, pretraces, and external signatures for this case. The transition Sk > A, tk must 
exist, since the external signature of A; changed along yp. Also, a} consists entirely of internal actions, and 
trace(ay) = Tx, i.e., every state along af has external signature Tọ. 


Hence az = at, œ (Sk —> A, tk) ~ af, where sp = last (al) and ezt(Ap)(tk) =P, and T € int( Ak) (sp). 


Now let s = (s1,... , Sn), and let t = (t1,...,t,). For all £ € [1:n]—k, let ap = ae. Instantiating (b) for a}, and 
the a, we have the existence of an a’ such that a’ € ezecs*(A)(y) A (V2 € [1:n] —k : a'l Ae = a) A (a TAR = 
al). By (b) and Definition 9, we have s = last(a’). By Definition 6, we have (s,7,t) € steps(A). Let 
a =a! A\(s—>,4t) a", where a” is the finite-execution fragment of A with first state t, and whose 
transitions are exactly those of a}, with no other SIOA making any transitions. Since all the transitions of 
a}! are internal, Definition 6 shows that a” is indeed an execution fragment of A. Furthermore, since the 
external signature does not change along a, it follows that the external signature does not change along 
a”, and hence must equal ext(A)(t) at all states along a”. Hence trace(a”’) ~ ext(A)(t). Finally, by its 
construction, we have a} A, = aj. 


By the above, a is well defined, and is an execution of A. 


We now have 
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ext(A)(t) 

ext(Ax) (tx) x (JI ext( Ae) (te)) 
Te x (TI, ext(Ac)(te)) 

Ty x (ILT) 

T 


a’) o trace(a") 
a’) œ ext(A)(t) 


(a TAk) > (8% 4, th) > (aT Ar) 
Oy O (Sk — Ar tk) > (a" lAr) 

ak ~ (8k -Ar tk) aK 

ak 


For all £ € [1 : n] — k, 


definition of t 
definition of tk 
te = last(a), (a) 


(a) 


definition of a 

trace(a’") ~ ext(A)(t) 

ext(A)(t) =T established above 

a’ € execs*(A)(7¥’), hence trace(a’) = y 
case condition 


Definition 9 and definition of a 

by (c), a’ TA, = a, 

by the preceding remarks, a” | A, = a}! 

by definition of a}, a: an = ay, > (Sk oa, th) ~ ay 


Definition 9 and definition of a 
by (c), a’ [Ag = a) 
by our choice of a), ae = a, 


We have just established a € execs*(A), alA; = a; for all j € [1 : n], and trace(a) ~ y. Hence (*) is 
established for subcase 2.2. Hence Case 2 of the inductive step is established. 


Since both cases of the inductive step have been established, the theorem follows. 


We use Theorem 7 and the definition of zip (Definition 14) to establish a similar result for traces. 


Corollary 8 (Finite-trace pasting for SIOA) Let Aı,..., An be compatible SIOA, and let A = Aj, || 


--- || An. Let 6 be a finite trace and assume that there exist 61,... 
traces*(A;)), and (2) zip(B, Bi,... 


Proof: By Definition 14, there exist finite pretraces y, 71,... 
zips(y, 71, ese 


(Ba such that (1) (Yj € [L:n] : 8; € 


, Bn). Then 6 € traces* (A). 


„n Such that 7 = P, (Njeltn] yj Z Bj), and 


Yn). By Theorem 7, Ja € execs*(A) : trace(a) ~ y. Hence trace(a) ~ 8. Since p is a trace, 
we obtain trace(a) = 6. Since £8 is finite, 6 € traces*(A). 


Theorem 9 extends theorem 7 to infinite pretraces. That is, if a set of pretraces yj of Aj, for all j € [1 : n], 
can be “zipped up” to generate a pretrace y, then y is a pretrace of A = A, || --- || An. The proof uses 
the result of Theorem 7 to construct an infinite family of finite executions, each of which is a prefix of the 
next, and such that the trace of each finite execution is stuttering-equivalent to a prefix of y. Taking the 
limit of these executions under the prefix ordering then yields an infinite execution a@ of A whose trace is 
stuttering-equivalent to y, as desired. 
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Figure 4: Proof of Theorem 7: illustration of case one 


last (7 T 
pa z ast(7') í 
al ! ! 
z 
Qk, Vk Paz 1 o ? k 
Qk = Ak, Yk | I 
Ty iT, 
Oe, Ye noel ; © o 
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Figure 5: Proof of Theorem 7: illustration of subcase 2.1 


Theorem 9 (Pretrace pasting for SIOA) Let Aı,..., An be compatible SIOA, and let A = A, || -|| 
An. Let y be a pretrace. If, for all j € [1 : n], yj € pretraces(A;) can be chosen so that zips(y,71,---;Yn) 
holds, then Ja € execs(A) : trace(a) x y. 


Proof: If y is finite, then the result follows from Theorem 7. Hence assume that y is infinite for the remainder 
of the proof. By Proposition 6, we have 


Vi, i > OA ispretrace(y|i) : (Vj € [L:n] : ispretrace(yjli)) A zips (Yli; ilis- Ynli)- (a) 
Hence, by yj € pretraces(A;) and Definition 10, we have 
Vi, i > OA ispretrace(y|i),V7 € [L:n] : yjļli € pretraces(A;) (b) 
By (a,b) and Theorem 7, we have 


Vi, i > 0A ispretrace(y|i), 4a’ € execs(A) : trace(at) ~ yli (c) 


Now let i',i” be such that i’ < i”, ispretrace(y|;), ispretrace(y|;), and there is no i’ < i < i” such that 
ispretrace(y|;). By Definition 10, we have that either yj = (y|v)aT or yh = (q|v)T, for some action a 
and external signature IT. We can show that there exist a? € execs(A), a’ € execs(A) such that aë” < at”, 
trace(a’) ~ |i, trace(a*’) œ ylin. This is established by the same argument as used for the inductive 
step in the proof of Theorem 7. In essence, at” is obtained inductively as an extension of a’. We omit the 


(repetitive) details. 
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Figure 6: Proof of Theorem 7: illustration of subcase 2.2 


Let prefizes(y) = {i | i > 0A ispretrace(y|i)}. By (c), we have 


there exists a set {aŻ | i € prefixes(y)} such that 
Vi € prefizes(y) : a € execs(A) A trace(a’) ~ yli 
Yi’, i” € prefixes(y),i! < i! : aë” < at” (d) 
Now let a be the unique minimum sequence that satisfies Vi € prefizes(y) : at < a. a exists by (d). Since 
every triple (s,a,s’) along a occurs in some a’, it must be a step of A. Hence a is an execution of A. 


We now show, by contradiction, that trace(a) ~ y. Suppose not, and let 8 = trace(a). Then 8 Æ r(y) by 
Definition 12. Since 8 and r(y) are sequences, they must differ at some position. Let ig be the smallest 
number such that 8(io) 4 r(y) (io). Hence blio  r(y)|i,. Now the trace of a prefix of a is a prefix of 8, by 
Definition 2. Hence there can be no prefix of a whose trace is r(y) |i), i-e., (St > 0: trace(al;) = r(y)|io). Let 
i, be such that r(7|i,) = r(Y)lio- Hence a(S > 0 : trace(ali) = r(y|:,)). And so 3(S2 > 0: trace(al;) © yli). 
But this contradicts (d), and so we are done. 


We use Theorem 9 and the definition of zip (Definition 14) to establish Corollary 10, which extends corollary 8 
to infinite traces. Corollary 10 gives our main trace pasting result, and is also used to establish trace 
substitutivity, Theorem 17, below. 


Corollary 10 (Trace pasting for SIOA) Let Ai,...,An be compatible SIOA, and let A = Aj || --- || An. 
Let B be a trace and assume that there exist B1,..., Bn such that (1) (Vj € [1:n] : B; € traces(A;)), and (2) 
zip(ß, B1,...,; Bn). Then B € traces(A). 


Proof: By Definition 14, there exist pretraces y, 71,.--,Yn Such that y ~ P, Njelt:n] yj ~% j, and 
zips(Y,Y1,---;Y%n)- By Theorem 9, Ja € ezecs(A) : trace(a) ~ y. Hence trace(a) ~ 8. Since £ is a 
trace, we obtain trace(a) = 8. Hence 8 € traces(A). 


3.3 Trace Substitutivity for SIOA 


To establish trace substitutivity, we first need some preliminary technical results. These establish that for 
an execution a of A = Aj || --- || An and its projections alAı,...,œaAn, that there exist corresponding (in 
the sense of being stuttering equivalent to the trace of) pretraces y, %1,- .-, Yn respectively which “zip up,” 
i.e., zips(y, 1,- --, Y/n) holds. Our first proposition establishes this result for finite executions. 
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Proposition 11 Let Ai,...,An be compatible SIOA, and let A = A; || --- || An. Leta be any finite 
execution of A. Then, there exist finite pretraces Y, %1,- ..,Y%n such that (1) y ~ trace(a), (2) (Vj e [l:n]: 


yj © trace(atA;)), and (3) zips(,11,---+7n): 


Proof: By induction on |a|. For the rest of the proof, fix a to be an arbitrary finite execution of A. 


Base case: |a| = 0. Then a consists of a single state s. By Definition 6, we have ext(A)(s) = []jepiinj ext(Aj)(s [A;). 
Let y consist of the single element ext(A)(s) and for all j € [1 : n], let y; consist of the single element 
eat(A;)(s[A;). Hence y = Iljep:n Y By Definition 13, zips(y, V1,- - -, Yn) holds. 


Induction step: |a| > 0. There are two cases to consider, according to whether the last transition of a is an 
external or internal action of A. 


Case 1: a = o'at for some action a and state t, where a € ext(A)(last(a’)). 
We apply the induction hypothesis to a’ to obtain 


there exist pretraces y',71,---,7j, such that 
y ~ trace(a’), (Vj € [L:n] : yj = trace(a’TA;)), and zips(7',71,---+ Yn) (a) 
Let s = last(a’), and for all j € [1:n], let s; = sÌA;, and t; = tlA;. Let p = {j | a € ext(A;)(s;)}. Let k 
range over y and £ range over [1 : n] — y. Hence, Apa ¢ sig(Ae)(se). Hence, by Definition 6, Ay se = te. 


By Definition 9, for all k, we have al Ap = (a'l Ap)atk. Hence trace(al Ap) = trace(a' Ap) >a ert(Ax) (tk). 
For all k, we have +, ~ trace(a' l Ap) by (a). Let yk = y, `a ^ ext(Akr)(tk). Hence yp ~ trace(al Ag). 


By Definition 9, for all £, we have aA; = a'lA;. Hence trace(alé) = trace(a' M). Let ye = yy © 
eat(Ag)(s¢) `œ ezt(Ae)(se). By (a), we have 7 ~ trace(a' Ag) for all £. From s = last(a’), we get last(y;) 
= eat(Ae)(last(a’}€)) = ext(Ag)(se). Hence ye ~ yp. Hence ye ~ y, ~ trace(a' TAr) = trace(al Ae). Thus, 
ye ~ trace(al Ae). 
Let y = 7 na eat(A)(t). Now trace(a) = trace(a'at) = trace(a’) ~a— eat(A)(t). From (a), 7/ ~ trace(a’). 
Hence y = yY œa co eat(A)(t) ~ trace(a’) ~a — ext(A)(t) = trace(a). So, y ~ trace(a). 
From the previous three paragraphs, we have 

q © trace(a) A Njep:nj Vi © trace(al Aj). (b) 
We now establish zips(y,71,---;Y¥n). We show that all clauses of Definition 13 are satisfied for y,71,...,%n- 
By (a), zips(7’,71,---;7),). We will use this repeatedly below. 


By zips(y', Yi,- --; Yh), we have |y] = [yi] =--- = [y4]. By construction |y| = |y'| +2, and for all j € [1 : n], 
Iyl = lag] + 2. Hence |y| = [y| = ++ = [yn]. So clause 1 is satisfied. 


By definition of £, we have Apa ¢ ezt(A¢)(se). By construction, the last three elements of yg (for all £) are 
all ext(Ag)(se). By this and zips(y', %1,- --, Y4), we conclude that clause 2 is satisfied. 


By Definition 6, we have ext(A)(t) = [[jepinj ext(A;)(t;). By construction, we have last(y) = ext(A)(t), 
A, last(yk) = ext(Ax)(te), and Ag last(ye) = ext(Ag)(se). From Apse = te (established above), we get 


A¢ last(ye) = ext(Ag)(te). Hence last(y) = [[jepnj last(y;). By this and zips(7’,71,---,Ym), we conclude 
that clause 3 is satisfied. 


By zips(y',¥,---,7,) and the construction of 7,71,..-,Yn (specifically, that a is an external action), we 
conclude that clause 4 is satisfied. 


Hence, we have established zips(7,71,..-,%n). Together with (b), this establishes the inductive step in this 
case. 


Case 2: a = a’at for some action a and state t, where a € int(A)(last(a’)). 
We can apply the induction hypothesis to a’ to obtain 
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there exist pretraces y',71,---,7j, such that 
y ~ trace(a’), (Vj € [L:n] : 7; ~ trace(a’lA;)), and zips(7',71,---1 Yn): (a) 
Let s = last(a’), and for all j € [1:n], let s; = s[A;, and t; = t/Aj. Since a is an internal action of A, it is 
executed by exactly one of the A,,...,A,. Thus, there is some k € [1 : n] such that a € int(A,)(s,), and 
for all £ € [1 : n] — k, a g sig(Ap)(se). Let £ range over [1 : n] — k for the rest of this case. Hence Ae Se = te, 
by Definition 6. 


By Definition 9, we have al Ay = (a’|A,)at,. Hence trace(al Ap) = trace(a’| Ap) œ ert(Ax) (te). We have 
yi © trace(a' l Ap) by (a). Let yk = Y, `œ ext(Ax)(te). Hence yp ~% trace(alAx). 


). 
). 


By Definition 9, for all £, we have a} Ay = a’ | Ay. Hence trace(a Ml) = trace(a' £). Let ye = yp œ eat(Ag)(s 
By (a), y © trace(a ‘lAe) for all £. From s = last(a’), we get last(y,) = ext(Ag)(last(a’[l)) = ext(Ag)( 
Hence ye ~ yh. Hence ye ~ y; ~ trace(a’| Ae) = trace(al Ae). Thus, ye ~ trace(al Ay). 


£ 
se 
Let y = y — eat(A)(t). Now trace(a) = trace(a'at) = trace(a’) ~ ezt(A)(t). From (a), y ~ trace(a’). 
Hence y = y > ext(A)(t) ~ trace(a’) > ert(A)(t) = trace(a). So, y © trace(a). 
From the previous three paragraphs, we have 

q ~ trace(a) A N\jefiin) Vi © trace(al Aj). (b) 


We now establish zips(y,71,---;Yn). We show that all clauses of Definition 13 are satisfied for y, 91,- ., Yn- 
By (a), zips(7',71;--->%,). We will use this repeatedly below. 


By zips(y',74;---+Y%,), we have |y] = [yil =--- = [y4]. By construction |y| = |y'| +1, and for all j € [1 : n], 
lyi| =ý] + 1. Hence |7| = [yi] = +++ = [Yn]. So clause 1 is satisfied. 
By zips(y',7},--->7j,) and the construction of y, %1,..., Yn (specifically, that a is an internal action), we 


conclude that clause 2 is satisfied. 


By Definition 6, we have ext(A)(t) = [[jepienj evt(A;)(t;). By construction, we have last(y) = ext(A)(t), 
last(y,) = ext(Ax)(te), and Ao last(ye) = ext(Ag)(se). From A,se = te (established above), we get 
Me last(ye) = ext(Ag)(te). Hence last(y) = [jenn lastly). By this and 
zips(Y', Yi,- --; Yh), we conclude that clause 3 is satisfied. 


By construction, the last two elements of ye (for all £) are both ext(Az)(s¢). By this and zips(y',71,---;%.); 
we conclude that clause 4 is satisfied. 


Hence, we have established zips(y,71,..-,%n). Together with (b), this establishes the inductive step in this 
case. 


Having established both possible cases, we conclude that the inductive step holds. 


Proposition 12 Let Aı,..., An be compatible SIOA, and let A = A; || --- || An. Let 8 be any finite trace 
of A. Then, there exist B1,..., Bn such that (1) (Vj € [L:n] : B; E traces*(A,;)), and (2) zip(B, B1,..., Bn). 


Proof: Since 6 € traces*(A), there exists a € execs*(A) such that trace(a) = 8. Applying Proposition 11 
to a, we have that there exist finite pretraces y,71,...,7%m such that y ~ trace(a), (Vj € [L:n] : y ~% 
trace(alA;)), and zips(y,1,---,Yn)- 

For all j € [1 : n], let 6; = trace(alA;). By Theorem 4, al A; € erecs(A;). Hence al A; € erecs*(A;) since 
a is finite. Hence 6; € traces*(A;). Thus, (1) is established. 

From yj ~ trace(alA;) and 8; = trace(alA;), we have 8; ~ yj, for all j € [1 : n]. From y ~ trace(a) and 


B = trace(a), we have y ~ p. Hence, by Definition 14 and zips(y,71,..-,;Yn), we conclude zip(G, 61,..., Bn). 
Hence (2) is established. 
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Theorem 13 (Finite-trace Substitutivity for SIOA) Let Aı,..., An be compatible SIOA, and let A = 
A; || = || An. For some k € [1:n], let Ay,...,An—1, AL, Ak+1,---, An be compatible SIOA, and let 
A’ = A, || --- || Ak || Ay |] Agi |] = || An. Assume also that traces*(A,) C traces*(Aj,). Then 
traces* (A) C traces*(A’). 


Proof: Let 8 be an arbitrary finite trace of A. Then, by Proposition 12, there exist 61,..., Bn such that 
zip(B, B1,..., Bn), and (Vj € [L:n] : 8; € traces*(A;)). By assumption, traces* (Ap) C traces*(Aj,). Hence 
Bk € traces* (A1). Thus, we have Bp € traces*(Aj,), (VL E€ [l:n]—k : Be € traces*(Ag)), and zip(6, B1,..., Bn). 
Hence, by Corollary 8, 8 € traces*(A’). Since 8 was chosen arbitrarily, we have traces*(A) C traces*(A’). 


To extend Theorem 13 to infinite traces, we start with Proposition 14, which extends the result of Propo- 
sition 11 to the (infinite set of) finite prefixes of an infinite execution. That is, for every finite prefix a|; of 
an infinite execution a of A = Aj || --- || An, and its projections (a|;)lA1,...,(a|;)[An, there exist corre- 
sponding (in the sense of being stuttering equivalent to the trace of) pretraces y' and 73,..., yf respectively 
which “zip up,” i.e., zips(7",7j,---,7!,) holds. Furthermore, the pretraces 7‘~?, ME -3 Y% ` corresponding 
to ali—1, (aliz1) Ai, ..., (al:z1) lAn, respectively are prefixes of the pretraces 9%, y$, ..., 9%, respectively. 


Proposition 14 Let A,,...,A, be compatible SIOA, and let A = A, || --- || An. Let a be any execution of 
A. Then, there exists a countably infinite set of tuples of finite  pretraces 
{(y,¥3,---,74,) |0<t< lal Ai £w} such that: 


1. Yi, 0 <i < lal Ai fw: & trace(ali) A (Njen: G © trace((ali)IAy)), 
2. Vi,0<% < lal Ati Aw: zips(y',7,-..., 7%), and 
3. Vi0<i<lalAiAzAw:y <7 (Njet:n] oie <7). 


Proof: By induction on i. 


Base case: i = 0. Then, alo consists of a single state s. The proof then parallels the base case of the proof 
of Proposition 11. We omit the repetitive details. 


Induction step: i > 0. Assume the inductive hypothesis for 0 < i < m, and establish it for i = m. By the 
inductive hypothesis, we obtain 


there exists a set of tuples of finite pretraces {(7*,7},.-.,73,) | 0 < ¿< m} such that: 
1. Vi,0<i<m:7¥7 x trace(al;) A (Njel:n] Ñ ~ trace((a|;)lA;)), 
2. Vi, 0< i< m: zips(7',7,...,73,), and 
3. Vi, 0 <i <m: yt < yN (Njel:n] yii < y). 

We now establish the inductive hypothesis for i = m, that is: 

there exists a tuple of pretraces (y™, YP, ..., Y2) such that 
1. y™ ~ trace(alm) A (Ajetiny V7" ~ trace((a|m)A;)), 
2. zips(7™, YT- -3 Yn) and 


3. TE < Y A (Njen GT < G) 
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There are two cases. 
Case 1: alm = (a|m—1)at for some action a and state t, where a € ext(A)(last(a|m_—1)). 


Case 2: a|m = (Q|m—1)at for some action a and state t, where a € int(A)(last(a|m_1)). 


To establish Clauses 1 and 2 of (*), the proofs for these cases proceed in exactly the same way as the proofs 
for cases 1 and 2 in the proof of Proposition 11, with a|,,—-1 playing the role of a’, and a|,, playing the role 
of a. 


To establish Clause 3 of (*), we note that, in both cases 1 and 2 in the proof of Proposition 11, 7,71,.--,%n 


are constructed as extensions of y’, %1, ..., Y4, respectively. Our proof here proceeds in exactly the same 
way, with y”—1,7i"~-',..., 7-1 playing the role of 7’, y/,...,7/,, respectively, and y™”,7/",..., 7” playing 


the role of y,71,.--; Yn, respectively. We omit the details. 


Note that we include i 4 w in the range of i to emphasize that, for infinite executions a, the range 0 <i < |a 
does not include 7 = w. 


Proposition 15 establishes the result of Proposition 11 for infinite executions. The proof uses Proposition 14 
and constructs the required pretraces 7,71,---,Yn by taking the limit under the prefix ordering of the 
7',74,---,72, given in Proposition 14, as i tends to w. 


Proposition 15 Let Aı,..., An be compatible SIOA, and let A = Aj || --- || An. Let a be any execution of 
A. Then, there exist pretraces y, %1,..., Yn such that (1) y ~ trace(a), (2) (Vj € [L:n] : yj = trace(alA;)), 
and (3) zips(y, Yil; Yr): 


Proof: If a is finite, then the result follows from Proposition 11. Hence, assume that a is infinite in the rest 
of the proof. By Proposition 14, we have 


there exists a countably infinite set of tuples of finite pretraces {(7',yj,---,7%,) | 0 < i} such that: 
1. Wi,O < i: qf ~ trace(ali) A (Njen: 4 ~ trace((als) TAs), 
2. Vi, 0 <i: zips(y’, y$, ..., 7f), and 


E a a E Sa): 


Since the set of tuples { (7f, y$, ..., 4Y | 0 < i} is countably infinite, and y'~! is a proper prefix of 7’ for all 
i > 0, we can define y to be the unique sequence such that Vi,0 <i: 7! < y. Likewise, for all j € [1:n], we 
can define y; to be the unique sequence such that Vi,0 <7: y% < qj. From clause 2 of (a) and Definition 13, 
we conclude zips(7,1,---;%n): 


We now show, by contradiction, that trace(a) ~ y. Suppose not, and let 8 = trace(a). Then 8 4 r(y) by 
Definition 12. Since 8 and r(y) are sequences, they must differ at some position. Let iọ be the smallest 
number such that 8(io) # r(y)(io). Hence 8];, 4 r(y)|ig- Now the trace of a prefix of a is a prefix of 6, by 
Definition 2. Hence there can be no prefix of a whose trace is r(7)|;,, 1-e., a(4i > 0: trace(al;) = r(7)|i,). Let 
i, be such that r(7|i,) = 7(Y) |i, Hence ~(3i > 0 : trace(al;) = r(y|i,)). And so 7(St > 0: trace(ali) © yli). 
But this contradicts (a), and so we are done. In a similar manner, we show yj ~ trace(a!A;)) for all j € [1:n]. 
Hence, the proposition is established. 


Proposition 16 “lifts” the result of Proposition 15 from executions to traces; it shows that if 6 is a trace of 
A= A; || --- || An then there exist traces 61,..., 8n of A1,...,An respectively which zip up to 8, that is 
zip(B, B1,...,8n) holds. The proof is a straightforward application of Proposition 15. 
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Proposition 16 Let Aj,...,A, be compatible SIOA, and let A = A, || --- || An. Let 8 be an arbitrary 
element of traces(A). Then, there exist 3),..., Bn such that (1) for all j € [1 : n] : 6; € traces(A;), and (2) 


zip(ß, B1,- ~- Bn). 


Proof: Since 8 € traces(A), there exists œ € execs(A) such that trace(a) = 6. Applying Proposition 15 to 
a, we have that there exist pretraces y, 91, .--, Yn Such that y ~ trace(a), (NJ € [1 : n] : 7; ~ trace(alA;)), 
and zips(y, Ylse- ,Yn)- 

For all j € [1 : n], let 6; = trace(alA;). By Theorem 4, aA; € exzecs(A;). Hence 8; € traces(A;). Thus, 
(1) is established. 

From yj ~ trace(alA;) and 6; = trace(alA;), we have 6; ~ qj, for all j € [1 : n]. From y ~ trace(a) and 


B = trace(a), we have y ~ 3. Hence, by Definition 14 and zips(y, 91,- .-, Yn), we conclude zip(8, B1, ..., Bn). 
Hence (2) is established. 


Theorem 17 gives one of our main results: trace substitutivity. This states that, in a composition of n SIOA, 
if one of the SIOA is replaced by another whose traces are a subset of those of the SIOA that was replaced, 
then this cannot increase the set of traces of the entire composition. 


Theorem 17 (Trace Substitutivity for SIOA) Let Aı,..., An be compatible SIOA, and let A = A, || 
--- || An. For some k € [1:n], let Ay,..., Ak—1, A, Ak+1;---, An be compatible SIOA, and let A’ = A, || 
++ || Ak- || Aj || Anti || || An. Assume also that traces(A,) C traces(Aj,). Then traces( A) C traces(A’). 


Proof: Let 8 be an arbitrary trace of A. Then, by Proposition 16, there exist 61,..., n such that 
zip(B, B1,..., Bn), and (Vj € [1:n] : B; € traces(A;)). By assumption, traces(A,) C traces(Aj,). Hence 
Br € traces(A',). Thus, we have Bp € traces( A1), (VL € [L:n] — k : Be € traces(Ag)), and zip(6, 61,..., Bn). 
Hence, by Corollary 10, 6 € traces(A’). Since 8 was chosen arbitrarily, we have traces(A) C traces(A’). 


4 ‘Trace Substitutivity under Hiding and Renaming 
We now proceed to show that action hiding and renaming are monotonic with respect to trace inclusion. 


Theorem 18 (Trace Substitutivity for SIOA w.r.t Action Hiding) Let A,A’ be SIOA such that 
traces(A) C traces(A’). Let © a set of actions. Then traces(A \ £) C traces(A’ \ £). 


Proof: From traces(A) C traces(A’), we have 


Va € execs(A) : da’ € execs(A’) : trace ,(a) = tracea (a). 
By Definition 7, start(A\ €) = start(A) and steps(A\ £) = steps(A), and so erecs(A) = execs(A \ X). 
Likewise execs(A’) = execs(A’ \ £). Hence 
Va € execs(A \ ©) : da’ € execs(A’ \ X) : tracea (a) = trace 4(a’). 
Choose arbitrarily a € execs(A\ £) and a’ € execs(A’\ £) such that tracea (a) = tracey (a'). Let 8 = 
trace a(a@) = tracea (a). Let 8\ © be the trace obtained from 8 by removing all actions in ©, and then 


replacing each maximal block of identical external signatures by a single representative. From Definition 2, 
we see that 8 \ © = trace x(a) = trace 4\5(a"). Since a, a’ were chosen arbitrarily, we have 


Va € erecs(A\ X) : da’ € execs(A’ \ ©) : trace 4\5(a) = trace ansha’). 
This implies traces(A \ £) C traces(A’ \ £), and we are done. 
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Theorem 19 (Trace Substitutivity for SIOA w.r.t Action Renaming) Let A, A’ be SIOA such that 
traces(A) C traces(A’). Let p be an injective mapping from actions to actions whose domain includes 
acts(A) U acts(A’). Then traces(p(A)) C traces(p(A’)). 


Proof: For a € execs(A), define p(a) to result from a by replacing each action a along a by p(a). Since p is 
an injective mapping from actions to actions, its extension to executions is also injective. For 8 € traces(A), 
define p(G) to result from 8 by replacing each action a along 8 by p(a), and each external signature T 
along 8 by p(T), where p(T) results from T by replacing each action a by p(a). Since p is an injective 
mapping from actions to actions, its extension to executions and traces is also injective. We also extend p 
to the set of executions and traces of A element-wise: p(execs(A)) = {p(a) : a € execs(A)}, p(traces(A)) = 


{o(8) : B € traces(A)}. 
By Definition 8, start(p(A)) = start(A), and steps(p(A)) = {(s, p(a),t) | (s,a,t) E€ steps(A)}. Hence 
execs(p(A)) = p(execs(A)) and traces(p(A)) = p(traces(A)). 


From traces(A) C traces(A’), we have p(traces(A)) C p(traces(A’)), since p is monotonic with respect to a 
set of traces. Hence traces(p(A)) C traces(p(A’)), and we are done. 


een es 


4.1 Trace Equivalence as a Congruence 


SIOA A and A’ are trace equivalent iff traces(A) = traces(A’). A straightforward corollary of our mono- 
tonicity results is that trace equivalence is a congruence relation with respect to parallel composition, action 
hiding, and action renaming. 


Theorem 20 (Trace equivalence is a congruence) Let Ai,...,An be compatible SIOA, and let A = 
A; || = || An. For some k € [1:n], let Aj,...,Ax—1, A), Ak+1;---, An be compatible SIOA, and let 
Al = Ay |e [Ana Ul Ag || Aga Ul An 

1. If traces(A,) = traces(Aj,), then traces(A) = traces(A’). 

2. If traces( Ap) = traces(Aj,), then traces(Ax \ £) = traces(Aj, \ £). 

3. If traces(A,) = traces(A‘,), then traces(p(Ax)) = traces(p(Aj,)). 


Proof: Clauses 1, 2, and 3 follow from Theorems 17, 18, and 19 respectively, by application with respect to 
both directions of trace inclusion. 


5 Configurations and Configuration Automata 


Suppose that a is an action of SIOA A whose execution has the side-effect of creating another SIOA B. To 
model this, we keep track of the set of “alive” SIOA, i.e., those that have been created but not destroyed (we 
consider the automata that are initially present to be “created at time zero”). Thus, we require a transition 
relation over sets of SIOA. We also keep track of the current global state, i.e., the tuple of local states of 
every SIOA that is alive. Thus, we replace the notion of global state with the notion of “configuration,” i.e., 
the set A of alive SIOA, and a mapping S with domain A such that S(A) is the current local state of A, for 
each SIOA A € A. 


A configuration contains within it a set of SIOA, each of which embodies a transition relation. Thus, 
the possible transitions out of a configuration cannot be given arbitrarily, as when defining a transition 
relation over “unstructured” states. Rather, these transitions should be “intrinsically” determined by the 
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SIOA in the configuration. Below we define the intrinsic transitions between configurations, and then 
define a “configuration automaton” as an SIOA whose transition relation respects these intrinsic transitions. 
Configuration automata are our principal semantic objects. 


Definition 15 (Configuration, Compatible configuration) A configuration is a pair (A,S) where 


e A is a finite set of signature I/O automaton identifiers, and 


e S maps each A € A to an s € states(A). 
A configuration (A, S) is compatible iff, for all AE A, BEA, AZB: 


1. sig(A)(S(A)) N int(B)(S(B)) = 0, and 
2. out(A)(S(A)) N out(B)(S(B)) = 0. 


The compatibility condition is the usual I/O automaton compatibility condition [23], applied to a configu- 
ration. If C = (A, S} is a configuration, then we use (A, s) € C as shorthand for A € AA S(A) = s, and we 
also qualify A and S with the notation C.A, C.S, where needed. 


A configuration is a “flat” structure in that it consists of a set of SIOA (identifier, local-state) pairs, with 
no grouping information. Such grouping could arise, for example, by the composition of subsystems into 
larger subsystems. This grouping will be reflected in the states of configuration automata, rather than the 
configurations themselves, which are not states, but are the semantic denotations of states. We defined a 
configuration to be a set of SIOA identifiers together with a mapping from identifiers to SIOA states. Hence, 
every SIOA is uniquely distinguished by its identifier. Thus our formalism does not a priori admit the 
existence of clones, as discussed in the introduction. 


Definition 16 (Intrinsic attributes of a configuration) Let C = (A,S) be a compatible configuration. 
Then we define 


© out(C) = Usea out(A)(S(A)). 

© in(C) = (Usea in(A)(S(A))) — out(0). 
© int(C) = Usea int(A)(S(A)). 

© ext(C) = (in(C), out(C)). 

© sig(C) = (in(C), out(C), int(C)). 


We call sig(C) the intrinsic signature of C, since it is determined solely by C. Define reduce(C) = (A’, STA’), 
where A’ = {A | A € A and sig(A)(S(A)) 4 Ø}. C is a reduced configuration iff C = reduce(C). 


A consequence of this definition is that an empty configuration cannot execute any transitions. Also, we do 
not define transitions from a non-compatible configuration. Thus, the initial configuration of a transition is 
guaranteed to be compatible. However, the final configuration of a transition may not be compatible. This 
may arise, for example, when two SIOA are involved in executing an action a, and their signatures in their 
final local states may contain output actions in common. Another possibility is when a new SIOA is created, 
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and its signature in its initial state violates the compatibility condition (Definition 15) with respect to an 
already existing SIOA. 


We now define the intrinsic transitions =>, that can be taken from a given configuration (A,S). Our 
definition is parametrized by a set y of SIOA identifiers which represents SIOA which are to be “created” 
by the execution of the transition. This set is not determined by the transition itself, but rather by the 
configuration automaton which has (A, S} as the semantic denotation of one of its states. Thus, it has to be 
supplied to the definition as a parameter. 


Definition 17 (Intrinsic transition, =>, ) Let (A,S), (A’,S’) be arbitrary reduced compatible configu- 


rations, and let p C Autids. Then (A,S) Sy, (A',S’) iff there exists a compatible configuration (A", S") 
such that all of the following hold: 


1. a € sig((A,S)). 

2. A” =AUp. 

3. For all A € A” — A : S" (A) € start(A). 

4. For all A€ A: if a € sig(A)(S(A)) then S(A)— 4 S" (A), otherwise S(A) = S” (A). 

5. (A', S") = reduce((A",S”)). 
All the SIOA with identifiers in y — A (= A” — A) are “created” in some start state (Clause 3). The SIOA 
identifiers in yN A have no effect, since the SIOA with these identifiers are already alive. We apply the reduce 
operator to the intermediate configuration (A”’,S”) to obtain the final configuration (A’,S’) resulting from 
the transition. This removes all SIOA which have an empty signature, and is our mechanism for destroying 
SIOA. An SIOA with an empty signature cannot execute any transition, and so cannot change its state. 
Thus it will remain forever in its current state, and will be unable to interact with any other SIOA. Thus, an 
SIOA “self-destructs” by moving to a state with an empty signature. This is the only mechanism for SIOA 


destruction. In particular, we do not permit one SIOA to destroy another, although an SIOA can certainly 
send a “please destroy yourself” request to another SIOA. 


Definition 18 (Configuration Automaton) A configuration automaton X consists of the following com- 
ponents 


1. A signature I/O automaton sioa(X). 
For brevity, we define states(X) = states(sioa(X)), start(X) = start(sioa(X)), sig(X) = sig(sioa(X)), 
steps(X) = steps(sioa(X)), and likewise for all other (sub)components and attributes of sioa(X). 


2. A configuration mapping config(X) with domain states(X) and such that config(X)(x) is a reduced 
compatible configuration for all x € states(X). 


3. For each x € states(X), a mapping created(X)(x) with domain sig(X)(a) and such that created(X)(x)(a) 
Autids for all a € sig(X)(2). 


and satisfies the following constraints 
1. If x € start(X) and (A,s) € config(X)(x), then s € start(A). 


2. If (x,a,y) € steps(X) then config(X)(a) =>, config(X)(y), where y = created(X)(x)(a). 


3. If x € states(X) and config(X)(x) +, D for some action a, p = created(X)(a)(a), and reduced 
compatible configuration D, then Ay € states(X) : config(X)(y) = D and (a,a,y) € steps(X). 
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4. For all x € states(X) 
(a) out(X)(x) © out(config(X)(x)), 
(b) in(X)(x) = in(config(X)(2)), 
(c) int(X)(x) D int(config(X)(x)), and 
(d) out(X)(a) U int(X)(x) = out(config( X)(x)) U int(config(X)(x)). 


The above constraints are needed to properly reflect the connection between the behavior of a configuration 
automaton and the configurations in each state. Constraint 1 requires that configurations corresponding 
to start states of X must map their constituent SIOA to start states. Constraint 2 admits as transitions 
of X only transitions that can be generated as intrinsic transitions of the corresponding configurations. 
Constraint 3 requires that all the intrinsic transitions = that a configuration is capable of must be 
represented in X: all the successor configurations generated by such transitions must be represented in the 
states and transitions of X. Constraint 4 states that the signature of a state x of X must be the same as the 
signature of its corresponding configuration config(X)(x), except for the possible effects of hiding operators, 
so that some outputs of config(X)(x) may be internal actions of X in state z. 


These constraints represent a significant difference with the basic I/O automaton model: there, states are 
either “atomic” entities, or tuples of tuples of ...of atomic entities. Thus, states, in and of themselves, 
embody no information about their possible successor states. That information is given by the transition 
relation, and there are no constraints on the transition relation itself: any set of triples (state, action, state) 
which respects the input enabling requirement can be a transition relation. 


Since an SIOA that is created “within” a configuration automaton always remains within that automaton, 
we see that configuration automata serve as a natural encapsulation boundary for component creation. Even 
if an SIOA migrates and changes its location, it always remains a part of the same configuration automaton. 
Migration and location are not primitive notions in our model, in contrast with, for example, the Ambient 
Calculus [8], but are built on top of configuration automata and variable signatures, see Section 7 below. 


In the sequel, we write config(X)(x) => x.z config(X)(y) as an abbreviation for 
“config(X) (2) >, config(X)(y) where y = created (X) (x) (a). 


Definition 19 Let X be a configuration automaton. For each x € states(X), define the abbreviations 
auts(X)(x) = auts(config(X)(x)) and map(X)(«) = map(config(X)(x)). 


Definition 20 (Execution, trace of configuration automaton) A configuration automaton X inherits 
the notions of execution fragment and execution from sioa(X). Thus, a is an execution fragment (execution) 
of X iff it is an execution fragment (execution) of sioa(X). execs(X) denotes the set of executions of 
configuration automaton X. X also inherits the notion of trace from sioa(X). Thus, B is a trace of x iff it 
is a trace of sioa(X). traces(X) denotes the set of traces of configuration automaton X. 


5.1 Parallel Composition of Configuration I/O Automata 


We now deal with the composition of configuration automata. 


Definition 21 (Union of configurations) Let Cı = (A1,81) and C2 = (A2, S2) be configurations such 
that Ay N A2 = O. Then, the union of Cı and C2, denoted C1 U Co, is the configuration C = (A,S) where 
A= A,U Ag, and S agrees with Sı on Aı, and with S2 on Ag. 


It is clear that configuration union is commutative and associative. Hence, we will freely use the n-ary 


notation C1 U---UC,, (for any n > 1) whenever A; jej:nj izz auts(Ci) N auts(Cj) = 0. 
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Definition 22 (Compatible configuration automata) Let Xı,..., Xn, be configuration automata. 
X1,...,Xn are compatible iff, for every (x1,...,%n) € states(X,) x --- x states(X,), all of the follow- 
ing hold: 

1. Vi,j € [L:n], i # j: auts(config(X;)(#:)) N auts(config(X;)(x;)) = 4. 

2. config(X1)(1) U --- U config( Xn) (an) is a reduced compatible configuration. 

3. {sig(X1)(a1),.-., ig(Xn)(an)} is a set of compatible signatures. 


4. Vij € [Lin],i #9: Va € sig(X;) (ai) N sig(X;)(a;) : created(X;)(«;)(a) N created(X;)(x;)(a) = 0. 


Definition 23 (Composition of configuration automata) Let X),...,Xn, be compatible configuration 
automata. Then X = X; || --- || Xn is the state machine consisting of the following components: 
1. sioa(X) = sioa(X;) || --- || sioa(X,,). 


2. A configuration mapping config(X) given as follows. For each x = (x1,...,%n) € states(X), config(X)(x) = 
config( X1) (£1) U+++U config( Xn) (tn). 


3. For each x = (x1,...,%p) € states(X), a mapping created(X)(x) with domain sig(X)(x) and given as 

follows. For each a € sig(X)(x), created(X)(x)(a) = Usma fen created(X;)(x;)(a). 
As in Definition 18, we define states(X) = states(sioa(X)), start(X) = start(sioa(X)), sig(X) = sig(sioa(X)), 
steps(X) = steps(sioa(X)), and likewise for all other (sub)components and attributes of sioa(X). 


Proposition 21 Let Xı,..., Xn, be compatible configuration automata. Then X = X, || --- || Xn is a 
configuration automaton. 


Proof: We must show that X satisfies the constraints of Definition 18. Since Xj,...,X, are configuration 
automata, they already satisfy the constraints. The argument for each constraint then uses this together 
with Definition 23 to show that X itself satisfies the constraint. The details are as follows, for each constraint 
in turn. 


Constraint 1. Let x € start(X) and (A,s) € config(X)(x). Then, x = (£1,...,£n} where x; € start(X;) 
for 1 < i < n. By Definition 23, config(X)(x) = config(X,)(x1) U +- U config(Xn)(£n). Hence (A,s) € 
config(X;)(x;) for some j € [1: n]. Also, z; € start(X,). Since X; is a configuration automaton, we apply 
Constraint 1 to X; to conclude s € start(A). Hence, Constraint 1 holds for X. 


Constraint 2. Let (x,a,y) be an arbitrary element of  steps(X). We will establish 
config(X) (2) > x, config(X)(y). 


For brevity, let A; = sioa(X;) for i € [1 : n]. Now (z,a,y) € steps(X). So (x,a,y) € steps(sioa(X)) 
by Definition 23. Also by Definition 23, sioa(X) = sioa(X1) || +--+ || sioa(Xn) = Ai || +++ || An. So, 
(x,a,y) E€ steps(Ay ||- || An). Since x,y E states(A, ||--- || An), we can write x,y as (z1,..., 2n), 
(Y1,-++;Yn) respectively, where x;, y; € states(A;) for i € [1 : n]. From Definition 6, there exists a nonempty 
yp C [1 : n] such that 


(Nico @ € 8ig(Ai) (ai) A (£i, a, ys) € steps(Ai)) A (Niejnj-ọ 4  Sig(As) (ai) A zi = yi) (a) 


Each X;, i € [1 : n], is a configuration automaton. Hence, by (a) and constraint 2 applied to each X;, i € 9, 


Niey (config Xi) (xi) => x;,0, config(Xi)(y:)). (b) 
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Also by (a), 
Nie{ainj—» (config(Xi)(ai) = config(X:)(y:)). (c) 


Since X1,..., Xn are compatible, we have, by Definition 22, that config(X1)(a1) U---U config( Xn) (an) and 
config(X1)(y1) U --- U config(Xn)(Yn) are both reduced compatible configurations. 

By Definition 23, created(X)(x)(a) = U created (Xi) (z;)(a). By this, (a,b,c), and Defini- 
tion 17, we obtain 


a€ sig(X;)(x;),i€[1:n 


(ie tun} config(X;)(x:)) =x, (Use ttn} config (X;)(y:)) : (a) 
By Definition 23, config(X)(x) = Vie tiny config(X;)(x;) and config(X)(y) = Uietrn] config(X;)(yi). Hence 
config(X)(x) => x,» config(X)(y), 


and we are done. 


Constraint 3. Let x be an arbitrary state in states(X) and D an arbitrary reduced compatible configuration 
such that config(X)(x) x. D. We must show Jy € states(X) : (x,a, y) € steps(X) and config(X)(y) = 
D. 


We can write x as (x1,..., £n} where x; € states(X;) for i € [1 : n]. 


Since X1, ... , Xn are compatible, we have, by Definition 22, that auts(config(X;)(x:)) N auts(config( X;)(x;)) 
Ø forall i,j € [1 : n], i # j, (thus, all SIOA in these configurations are unique) and that config(X1)(x1) U 
+++ U config(Xn)(£n) is a reduced compatible configuration. Also, from Definition 23, config(X)(x) = 
Uiej:n] config(X;)(a;). Hence from config(X)(x) +x,» D, 


( seta config (X;)(x;)) yr D. (a) 
Hence, from Definition 17, there exists a nonempty y C [1 : n] such that 
(Micy a € sig(X;)(ai)) A (eisai a & sig(X;)(ai)). (b) 


We now define D;, 1 < i < n, as follows. 
For i € [1 : n] — y, Di = config(X;)(a;). 
For i € y, Di = (DA;, map(D)|DA;), where 
DA, = {A:A€D and [A € auts(config(X;)(x;)) or A E€ created(X;)(x;)(a)}}. 
Hence, by definition of D;, Definition 17, (a), and the compatibility of X,,...,X», we have 


Niep(config(Xi) (xi) x; ,0; Di). (c) 
Now each X;, i € [1 : n], is a configuration automaton. Hence, from (c) and constraint 3 applied to Xj, 
iE g, 


Nico Wi € states(X;) : config(Xi) (yi) = Di and (z:,a, yi) € steps(X;). (d) 


Let y = (y1,---,Yn) where, for i € y, yi is given by (d), and for i € [1 : n] — p, yi = zi. Hence, for i € [1 : n], 
yi € states(X;). Since X1,..., Xn are compatible configuration automata, we get, by Definitions 18 and 22, 


auts(config(Xi)(yi)) N auts(config(X,;)(y;)) = 9 for all i, j € [1 : n], i 4 j, and 
config(X1)(y1) U --- U config(Xn)(Yn) is a reduced compatible configuration. (e) 


Thus, in particular, all SIOA in the configurations config(X1)(y1),..., config(Xn)(yn) are unique. From (d), 
for i € y, config(X;)(yi) = Di. By definition of D;, for i € [1 : n] — y, config(X;)(ai) = Di. By definition of 
Yi, for i € [1: n] — vy, yi = zi. Hence, for i € [1 : n] — y, config(X;)(y;) = Di. Combining these, we get 
Nien config (Xi) (yi) = Di. (f) 
From the definition of D; and Definition 17, we have that D = Dı U---UD,. Also, by Definition 23, 
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config(X)(y) = Uietin) config(Xi) (yi). By this, (f£), and D = D,U---UDn, 


config(X )(y) = D. (g) 

By definition of y;, for i € [1 : n] — y, yi = xi. By (d), for i E€ y, (£i,a, yi) E steps(X;). From these and (b), 
we get 

Nico a€ sig(X;)(a;) A (zi a, yi) E€ steps(X;) 

Niepiinj—y 4 Z $ig(Xi)(@i) A yi = ti. 
From this, £ = (£1,..., £n), Y = (Y1,---,Yn), and Definitions 6 and 23, we conclude (x,a,y) € steps(X). 
From this and (g), we have 

(x,a, y) € steps(X) and config(X)(y) = D, 


and we are done. 
Constraint 4. We treat each subconstraint in turn. 


Constraint 4a: out(X)(x) C out(config(X)(x)). 
By Definitions 6 and 23, 

out(X) (£) = Usetreny oul(Xs) (ai). (a) 
Since the X; are configuration automata, they all satisfy constraint 4a. Hence 

Nien] Ut (Xi) (xi) C out(config(X;i)(2:)). 

Taking the unions of both sides, over all i € [1 : n], we obtain 
By Definition 23, config(X)(x) = Use 
figuration automata. Hence, by Definition 22, U;cp:n] config (X:)(z:) is a reduced compatible configuration. 
So, from Definition 16, we obtain 


out (config(X)(x)) = Uietuny owt (config( Xi) (xi). (c) 
From (a,b,c), we obtain out(X)(x) = Uict:n] out(Xi) (zi) C (U;cn:n] out(config(Xi)(z:))) = 
out(config(X)(x)), as desired. 


H:n] config(X;)(a;). By assumption, X4,..., Xn, are compatible con- 


Constraint 4b: in(X)(x) = in(config(X)(x)). By Definitions 6 and 23, 
in(X)() = Vie taeny (Xe) (@1)) — ie tainy out(X:)(2:)). (a) 
Since the X; are configuration automata, they all satisfy constraints 4a and 4b. Hence 
Niep: 2(Xi) (xi) = in(config(Xi)(xi)), 


Nien out(Xi) (xı) C out(config(X;)(«;)). (b) 
Since the X; are configuration automata, they all satisfy constraint 4d. Hence 
Niefin| out(X;)(a;) U int(Xi) (zi) = out(config(X;)(a;)) U int(config(X;)(a;)). (c) 
And so, 
Aietun) out( config(X;)(wi)) © out(X,) (ws) U int(X;) (ai). (a) 


Since out(X;)(a;) N int(X;)(a;) = O for all i € [1 : n], by the partitioning of actions into input, output, and 
internal, we have, by (b,d) 


Nietuin) OUt(Xi) (vi) = out(config(X;)(xi)) — int (Xi) (zi). (e) 
Taking the unions of both sides, over all ¿i € [1 : n], in (b) and (e), we obtain 


(Uie pany (Xi) (ti) = (Uicp:n in (config(Xs)(a:))), 
(Uie pany OUt(X:) (24) = (Uietin) out (config(Xi)(wi)) — int(X:)(x:)). (f) 
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From (a, f), we obtain 
in(X)() = (Uiep:n in(config(X:)(2:))) — (Ue treny out (config(Xi)(ai)) — int(X:)(2:)). (g) 
From (c), 
Nie tun M(X) (wi) € out(config(X;)(ai)) U int (config(Xi)(2:)). (h) 


Now (out(config(X;)(x;)) U int(config(X;)(x;i))) N in(config(X;)(x;)) =, for all i € [1 : n], by the partition- 
ing of actions into input, output, and internal. Hence, by (h), 


Nieten int(X:) (vs) N in(config(X,)(a)) = 0. (i 
From (b,i), and the compatibility of X1,...,Xn, we get 
(Uietuiny X E)) A (Uie: tr (config(Xi)(2i))) = 0. G) 
From (g,j) 
in(X)(x) = (Uietainy @(config(Xi)(@i))) — (Uicp:nj out (config(X:)(a:))). (k) 


By Definition 23, config(X)() = Uicp:n config(Xi)(vi). By assumption, X1,...,Xn, are compatible con- 
figuration automata. Hence, by Definition 22, U;ej:n) config(Xi)(xi) is a reduced compatible configuration. 
So, from Definition 16, we obtain 


in(config(X)(x)) = (Uietainy in (config(Xi)(#i))) — (Uietriny out(config(Xi)(xi))). (1) 


Finally, from (k,l), we obtain in(X)(a2) = (Uitzi in(config(X;)(2i))) — (Use ttn} out (config(X;)(x:))) = 
in(config(X)(x)), as desired. 


Constraint 4c: int(X)(x) D int(config(X)(x)). 
By Definitions 6 and 23, 
int(X)(@) = Uicp:n (Xi) (21). (a) 
Since the X; are configuration automata, they all satisfy constraint 4c. Hence 
Nicp:nj (Xi) (xi) 2 int(config(X:)(x:)). 

Taking the unions of both sides, over all į € [1 : n], we obtain 

(Uietainy X:N (#4) 2 (Uiep:n int(config(X:)(2:))). (b) 
By Definition 23, config(X)() = Uicp:n config(X:)(z:). By assumption, X1, ..., Xn, are compatible con- 


figuration automata. Hence, by Definition 22, U;ej:n) config(Xi)(xi) is a reduced compatible configuration. 
So, from Definition 16, we obtain 


int (config(X)(@)) = Userrny tnt (config( Xi) (xi). (c) 
From (a,b,c), we obtain int(X)(z) = Vien] int(X;)(a;) 2 (Uietueny int(config(X;)(a))) = 
int(config(X)(x)), as desired. 


Constraint 4d: out(X)(x) U int(X)(x) = out(config(X)(x)) U int(config(X)(x)). 
By Definitions 6 and 23, 


out(X) (x) = Usefiiny out(X:) (wa), 
int(X)(@) = Usepriny (X) (ai). (a) 
Since the X; are configuration automata, they all satisfy constraint 4d. Hence 
Niep: (OUt( Xi) (ai) U int(X;)(ai)) = (out (config(X;)(xi)) U int(config( X;)(x))). 
Taking the unions of both sides, over all i € [1 : n], we obtain 
(Uietisn] ut(Xi) (21) U int(X:)(2:)) = (Uien 2utconfig(Xi)(s)) U int(config(X;)(ai))). (b) 
By Definition 23, config(X)(x) = Ujepny config(X:)(z:). By assumption, X1,...,Xn, are compatible con- 
figuration automata. Hence, by Definition 22, U;cp:n config(Xi)(xi) is a reduced compatible configuration. 
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So, from Definition 16, we obtain 

out (config(X)(a)) = Usetrny out(config( Xi) (i), 

int (config(X)(x)) = Usetainy mt (config (Xi) (ai). (c) 
From (a,b,c), we obtain (out(X)(x) U int(X)(z)) = (Uiep:n out(X:)(z:) U it(X:)(z:)) = 
(Uien:n] out(config(X:)(x:)) U int(config(X;)(a;))) = out(config(X)(x)) U int(config(X)(x)), as desired. 


Since we have established that X satisfies all the constraints, the proof is done. 


5.2 Action Hiding for Configuration Automata 


Definition 24 (Action hiding for configuration automata) Let X be a configuration automaton and 
E a set of actions. Then X \ È is the state machine consisting of the following components: 


1. A signature I/O automaton sioa(X \ £) = sioa(X) \ È. 
2. A configuration mapping config(X \ £) = config(X). 
3. For each x € states(X \ £), a mapping created(X \ £) (x£) = created(X)(x). 


As in Definition 18, we define states(X \ £) = states(sioa(X \X)), start(X \ ©) = start(sioa(X \ X)), 
sig(X \ £) = sig(sioa(X \ X)), steps(X \ £) = steps(sioa(X \ £)), and likewise for all other components 
and attributes of sioa( X). 


Proposition 22 Let X be a configuration automaton and © a set of actions. Then X \™ is a configuration 
automaton. 


Proof: We must show that X \ È satisfies the constraints of Definition 18. Since X is a configuration 
automaton, constraints 1, 2, and 3 hold for X. From Definitions 7 and 24, we see that the only components 
of X and X \ È that differ are the signature and its various subsets. Now constraints 1, 2, and 3 do not 
involve the signature. Hence, they also hold for X \ X. 


We deal with each subconstraint of Constraint 4 in turn. 


Constraint 4a: out(X \ X)(ax) C out(config(X \ X)(x)). 

By Definition 24, out(X \ E)(x) = out(sioa(X \ ©))(x) = out(sioa(X)\X)(x). By Definition 7, 
out(sioa(X) \ X)(a) = out(sioa(X))(x~) — X. By Definition 18, which is applicable since X is a configu- 
ration automaton, out(sioa(X))(a) = out(X)(x). Hence, out(sioa(X))(x) — E = out(X)(x) — X. Putting 
the above equalities together, we obtain 


out(X \ E) (x) = out(X)(a) — X. (a) 
Since X is a configuration automaton, it satisfies constraint 4a. Hence 
out(X)(a) C out(config(X)(x)). (b) 
By Definition 24, config(X \ £) = config(X). Hence, 
out(config(X)(a)) = out(config(X \ £) (x)). (c) 


aie (a,b,c), we obtain out(X \ 4)(x) C out(X)(x) C out(config(X)(x)) = out(config(X \ X)(a)), as de- 
sired. 


Constraint 4b: in(X \ X) x) = in(config(X \ £) (x)). 
By Definition 24, in(X \ E\(0 ) = in(sioa(X \ X))(#) = in(sioa(X) \ Z)(2). By Definition 7, 
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in(stoa(X) \ X)(a) = in(sioa( X ))(x). By Definition 18, which is applicable since X is a configuration 
automaton, in(sioa(X))(x) = in(X)(x). Putting the above equalities together, we obtain 


in(X \ 2) (£) = in(X)(2). (a) 
Since X is a configuration automaton, it satisfies constraint 4b. Hence 
in(X)(x) = in(config(X)(x)). (b) 
By Definition 24, config(X \ ©) = config(X). Hence, 
in(config(X)(x)) = in(config(X \ ¥)(ax)). (c) 


From (a,b,c), we obtain in(X \ E)(x£) = in(X)(x) = in(config(X)(x)) = in(config(X \ £)(x)), as desired. 


Constraint 4c: int(X \ £) (x) D int(config(X \ £) (£)). 


By Definition 24, int(X \X)(#) = int(sioa(X \ £))(x) = int(sioa(X)\=X)(x). By Definition 7, 
int(sioa( X) \ E)(x) = int(sioa(X))(x) U A ) AOE). By Definition 18, which is applicable since 
X is a configuration automaton, int(sioa(X))(x) = int(X)(x) and out(sioa(X))(x) = out(X)(x). Hence, 
int(sioa(X) \ E)(x) = int(X)(x) U (out(X)(x) A X). Purine the above equalities together, we obtain 
int(X \ X)(x) = int(X)(x) U (out(X) (x) A X). (a) 
Since X is a configuration automaton, it satisfies constraint 4c. Hence 
int(X)(x) D int(config(X)(x)). (b) 
By Definition 24, config(X \ £) = config(X). Hence, 
int(config(X)(x)) = int(config(X \ £) (x)). (c) 


From (a,b,c), we obtain int(X \ E) (x£) D int(X)(x) D int(config(X)(x)) = int(config(X \ £)(x)), as desired. 


Constraint 4d: out(X \ E) (£) U int(X \ E) (x) = out(config(X \ £) (x)) U int(config(X \ X)(a)). 
In the proofs for Constraints 4a and 4c above, we established (the equations marked “(a)” ) 
out(X \ E) (x) = out(X)(x)— E, 
int(X \ E) (x£) = int(X)(x) U (out(X) (£) A X). 
Now (out(X)(x)— X) U (out(X)(x) N £) = out(X)(x), and so 


out(X \ E(x) U int(X \ E)(x) = out(X)(x) U int(X)(x). (a) 
Since X is a configuration automaton, it satisfies constraint 4d. Hence 
out(X)(a) U int(X)(x) = out(config(X)(x)) U int(config(X)(x)). (b) 
By Definition 24, config(X \ £) = config(X). Hence, 


out(config(X)(x)) U int(config(X)(x)) = out(config(X \ £) (x)) U int(config(X \ ¥)(a)). (c) 
From (a,b,c), we obtain out(X \ E)(x) U int(X \ E)(x) = out(X)(x) U int(X)(x) = out(config(X)(x)) U 
int(config(X)(x)) = out(config(X \ £) (x)) U int(config(X \ £) (x)), as desired. 


Since we have established that X satisfies all the constraints, the proof is done. 


5.3 Action Renaming for Configuration Automata 


Definition 25 Let C = (A,S) be a compatible configuration and let p be an injective mapping from 
actions to actions whose domain includes |] 4c 4 acts(A). Then we define p(C) = (p(A), p(S)) where 
p(A) = {(A) | A € A}, and p(S)(p(A)) = STA) for all A € A. 


Definition 26 (Action renaming for configuration automata) Let X be a configuration automaton 


and let p__be an injective mapping from actions to actions whose domain includes 
Ucestates(x) 819(X)(C). Then p(X) consists of the following components: 
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1. A signature I/O automaton sioa(p(X)) = p(sioa(X)). 


2. A configuration mapping config(p(X)) with domain states(p(X)) (= states(X)) and such that config(p(X))(x) 


p(config(X)(x)). 


3. For each x E€ states(p(X)), a mapping created(p(X))(x) with domain sig(p(X)) (a) and such that 
created (p(X ))(x)(p(a)) = {p(A) | A € created(X)(x)(a)} for all a € sig(X)(x). 


Proposition 23 Let X be a configuration automaton and let p be an injective mapping from actions to 
actions whose domain includes Uc states(x) 819(X)(C). Then p(X) is a configuration automaton. 


Proof: We must show that p(X) satisfies the constraints of Definition 18. Since X is a configuration 
automaton, constraints 1, 2, and 3 hold for X. From Definitions 8 and 26, we see that the states of p(X) 
and the configurations in config(p(X ))(a) are unchanged by applying p, with the exception of the signatures 
of the configurations. Hence constraint 1 also holds for p(X). 


Constraints 2, and 3 hold since p is injective, so we can simply replace a by p(a) uniformly in the transition 
relation of both p(X) and the configurations in config(p(X))(x). The constraints for p(X) then follow from 
the corresponding ones for X. 


From Definitions 25 and 26, we have out(config(p(X))(z)) =  pl(out(config(X)(ax))) and 
out(p(X))(a) =  plout(X)(x)). Since constraint 4a holds for X, we have out(X)(z) Cc 
out(config(X)(x)). Hence p(out(X)(x)) © plout(config(X)(x))). We thus conclude out(p(X))(a) C 


out (config(p(X))(x)). Hence constraint 4a holds for p(X). 


The other subconstraints of constraint 4 can be established in a similar manner. 


5.4 Multi-level Configuration Automata 


Since a configuration automaton is an SIOA, it is possible for a configuration automaton to create another 
configuration automaton. This leads to a notion of “multi-level,” or “nested” configuration automata. The 
nesting structure is well-founded, that is, the binary relation “X is created by Y” is well-founded in all global 
states. 


This ability to nest entire configuration automata makes our model flexible. For example, administrative 
domains can be modeled in a natural and straightforward manner. It may also be possible to emulate the 
motion of ambients in the ambient calculus [8]. If two configuration automata X,Y are such that neither is 
“included” in the other, then X can “move into” Y by first destroying itself, and then having Y re-create X. 
This however would require some book-keeping to re-create X in the same state it was in before it destroyed 
itself. Development of these ideas, including the precise notion of “is included in,” is a topic for a subsequent 
paper. 


5.5 Compositional Reasoning for Configuration Automata 


We now establish compositionality results for configuration automata analogous to those established previ- 
ously for SIOA. The notions of execution and trace of a configuration automaton X depend solely on the 
SIOA component sioa(X). Furthermore, the SIOA component of a composition of configuration automata 
depends only on the SIOA components of the individual configuration automata (see Definition 23). It 
follows that the results of Sections 3 and 4 carry over for configuration automata with no modification. We 
restate them for configuration automata solely for the sake of completeness. 
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5.5.1 Execution Projection and Pasting for Configuration Automata 


Definition 27 (Execution projection for configuration automata) Let X = X, ||--- || Xn be a con- 


0,1 ab 2522 J 


figuration automaton. Let a be a sequence x°a\x'a?x?...2I~1aIa)... where Vj > 0,27 = (x},...,a1) € 
states(X) and Yj > 0,a! € sig(X)(aI~1). Fori € [1:n], define alX; to be the sequence resulting from: 

1. replacing each x) by its i’th component rÍ, and then 

2. removing all ala? such that ai ¢ sig(X;)(a7~'). 


Our execution projection result states that the projection of an execution (of a composed configuration 
automaton X = X; ||--- || Xn) onto a component X;, is an execution of X;. 


Theorem 24 (Execution projection for configuration automata) Let X = X; || --- || Xn be a con- 
figuration automaton. If a € execs(X) then al X; € execs(X;) for alli € [1:n]. 


Our execution pasting result requires that a candidate execution a of a composed automaton X = X; || 
-+- || Xn must project onto an actual execution of every component X;, and also that every action of a not 
involving X; does not change the configuration of X;. In this case, œ will be an actual execution of X. 


Theorem 25 (Execution pasting for configuration automata) Let X = Xj || --- || Xn be a configura- 


tion automaton. Let a be a sequence x°a'a1a?x?...xI~laJ x)... where Yj > 0,23 = (x},..., xf) € states(X) 


and Yj > 0,a? € sig(X) (£171). Furthermore, suppose that, for alli € [1:n]: 
1. alX; € execs(X;), and 
2. Yj >0: if af g sig(Xi)(£f7") then sit = gl. 


t t 


Then, a € execs(X). 


5.5.2 Trace Pasting for Configuration Automata 
Corollary 26 (Trace pasting for configuration automata) Let X,,...,X,, be compatible configuration 


automata, and let X = X; || --- || Xn. Let 8 be a trace and assume that there exist B1,..., Bn such that (1) 
(Vj € [L:n] : B; E€ traces(X;)), and (2) zip(B, B1,...,Bn). Then B € traces(X). 


The definition of zip(8,01,..., Bn) remains unchanged for configuration automata, since it does not refer to 
the internal structure of automata, only to external actions and external signatures. 


5.5.3 Trace Substitutivity and Equivalence for Configuration Automata 


Theorem 27 (Trace substitutivity for configuration automata) Let Xı,..., Xn be compatible con- 
figuration automata, and let X = X% || = || Xn. For some k e [1 : nl, 
let Xi, ..., Xk-1, X}, Xk41,---,Xn be compatible configuration automata, and let X' = X; || --- || Xx- || 
X; || Xz+ || ++ || Xn. Assume also that traces(X;,) C traces(X{,). Then traces(X) C traces( X’). 


Theorem 28 (Trace Substitutivity for Configuration Automata w.r.t Action Hiding) Let X,X’ 
be configuration automata such that traces(X) C traces(X'). Let X a set of actions. Then traces(X \ £) C 
traces(X’ \ X). 
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Theorem 29 (Trace Substitutivity for Configuration Automata w.r.t Action Renaming) Let X,X' 
be configuration automata such that traces(X) C traces(X"). Let p be an injective mapping from actions to 
actions whose domain includes acts(X) U acts(X'). Then traces(p(X)) C traces(p(X")). 


Theorem 30 (Trace equivalence is a congruence) Let X1,..., Xn be compatible configuration automata, 
and let X = X, || --- || Xn. For some k € [1:n], let X1,...,Xk—-1, X} Xk41,---,Xn be compatible configu- 
ration automata, and let X' = Xi || --- || Xz—1 || Xp || Xk+ |] --- || Xn- 


1. If traces(X,) = traces(X;,), then traces(X) = traces(X°‘). 
2. If traces(X,) = traces(Xj,), then traces(Xp \ ©) = traces(X;, \ X). 
3. If traces(X,) = traces(X;,), then traces(p(X;,)) = traces(p(X;)). 


6 Creation Substitutivity for Configuration Automata 


We now show that trace inclusion is monotonic with respect to process creation, under certain conditions. 
Our intention is that, if a configuration automaton Y creates an SIOA B when executing some particular 
actions in some particular states, then, if configuration automaton X results from modifying Y by making 
it create an SIOA A instead, and if traces(A) C traces(B), then we can prove traces(X) C traces(Y). In 
the rest of this section, let X be a configuration automaton that creates SIOA A in some actions, but never 
creates SIOA B. Also let Y be a configuration automaton that creates SIOA B in some actions, but never 
creates SIOA A. 


Definition 28 ( [B/A],<4p ) Let p C Autids, and A,B be SIOA identifiers. Then we define y|B/A] = 
(2 — {A}) U {B} if A € p, and y[B/A] = 9 if AE ọ. 

Let C, D be configurations. We define C<4gD iff (1) auts(D) = auts(C)[B/A], (2) for every A’ € auts(C)— 
{A}: map(D)(A’) = map(C)(A’), and (3) ext(A)(s) = ext(B)(t) where s = map(C)(A), t = map(D)(B). 
That is, in d,p-corresponding configurations, the SIOA other than A, B must be the same, and must be in 
the same state. A and B must have the same external signature. 


In the sequel, when we write y = y[B/A], we always assume that B ¢ y and A ¢ w. 
Proposition 31 Let C,D be configurations such that C dap D. Then ext(C) = ext(D). 


Proof: If A g C then C = D by Definition 28, and we are done. Now suppose that A € C, so that 
C = (AU {A},S) for some set A of SIOA identifiers, and let s = S(A). Then, by Definition 16, out(C) = 
(Une, out(A’)(S(A’))) U out(A)(s). 

From C <4, D and Definition 28, we have D = (AU {B},S’), where S’ agrees with S on all A’ € A, and 
S'(B) = t such that ext(A)(s) = ext(B)(t). Hence out(A)(s) = out(B)(t) and in(A)(s) = in(B)(t). By 
Definition 16, out(D) = (U yea out(A’)(S'(A’)))Uout(B)(t). Finally, (U yea out(A’)(S’(A’)))Uout(B)(t) = 
(Une, out(A’)(S(A’))) U out(A)(s), since S’ agrees with S on all A’ € A, and out(A)(s) = out(B)(t). 


Putting the above equalities together, we obtain out(C) = (Upea out(A’)(S(A’))) U out(A)(s) = 
(Usea out(A’)(S'(A’))) U out(B)(t) = out(D). We establish in(C) = in(D) in the same manner, and 
omit the repetitive details. Hence ext(C’) = ext(D). 


To obtain monotonicity, the start configurations of Y must include a configuration corresponding to every 
configuration of X, i.e., Vx € start(X), 3y € start(Y) : config(X)(x) <p config(Y)(y). Together with 


38 


traces(A) C traces(B), we might expect to be able to establish traces(X) C traces(Y). However, suppose 
that X has an execution a in which A is created exactly once, terminates some time after it is created, and 
after A’s termination, X executes an input action a. Let 6 = tracex(a) and let 8,4 be the trace that A 
generates during the execution of a by X. Since traces(A) C traces(B), we can construct (by induction) using 
conditions 1, 2, and 3 of Definition 18, a corresponding execution a’ of Y , up to the point where A terminates. 
Since traces(A) C traces(B), we have 64 € traces(B). Define B as follows. B emulates A faithfully up to 
but not including the point at which A terminates (i.e., self-destructs). Then, B sets it’s external signature 
to empty but keeps some internal actions enabled. This allows B to export an empty signature at this point. 
After executing an internal action, B permanently enters a state in which it’s signature has action a as an 
output, but a is never actually enabled. Thus, no trace of Y from this point onwards can contain action 
a. Hence, 8 cannot be a trace of Y, and so traces(X) Z traces(Y), since 8 € traces(X). This example is a 
consequence of the fact that an SIOA can prevent an action a from occurring, if a is an output action of the 
SIOA which is not currently enabled, and it shows that we also need to relate the traces of A that lead to 
termination with those of B that lead to termination. 


We therefore also require that the terminating traces of A (see formal definition below) are a subset of the 
terminating traces of B. This however, is still insufficient, since we have so far only required that X create A 
“whenever” Y creates B. We have not prevented X from creating A in more situations than those in which 
Y creates B. This can cause traces(X) Z traces(Y), as the following example shows. 


Example 1 Let A,B,C be the SIOA and X,Y be the configuration automata given in Figure 7, as indicated 
by the automaton name followed by “::”. Each node represents a state and each directed edge represents a 
transition, and is labeled with the name of the action executed. All the automata have a single start state. 
A, B,C, have start state s°,t°,u° respectively, and out(A)(s°) = out(B)(t°) = {a,b}. Note that A has b in 
the signature of s° but does not enable b in s°. All the states of X,Y, except the terminating states, are 
labeled with their corresponding configurations. The start states of X,Y are the states with configuration 


{(C,u°)}. 


By inspection, Vx € start(X), 3y € start(Y) : config(X)(x) <4B config(Y)(y). traces(A) C traces(B), and 
ttraces(A) C ttraces(B). Also by inspection, traces(X) = {c, ca, cd, cad, cda} and traces(Y) = {c, ca, cb, cd}, 
and so traces(X) Z traces(Y) (we omit the external signatures in the traces). This is because X creates 
A along the transition which is generated by the (u°,c,u") transition of C (according to constraint 3 of 
Definition 18), whereas Y does not. 


We now impose a restriction which precludes scenarios such as in Example 1. 


Definition 29 (Creation corresponding configuration automata) Let X,Y be configuration automata 
and A,B be SIOA. We say that X,Y are creation-corresponding w.r.t. A, B iff 


1. X never creates B and Y never creates A. 


2. Let B € traces*(X) N traces*(Y), and let a € execs*(X), m € execs*(Y) be such that trace,(a) = 
traceg(r) = 8. Let x = last(a), y = last(z), i.e., x,y are the last states along a,n, respectively. Then 


Va € sig(X)(x) N sig(Y)(y) : created(Y)(y)(a) = created(X)(x)(a)[B/A]. 


Now, in addition to the requirements discussed above in Example 1, we require that the configuration 
automata X,Y be creation-corresponding w.r.t. A,B, and that, from the last states of executions with the 
same trace, X and Y create the same SIOA, except that Y may create B where X creates A. We will also 
restrict A, B so that their internal actions do not create SIOA, and do not lead to an empty signature, i.e., 
to self-destruction. Also B can have only a single start state. We give results for finite trace inclusion and 
trace inclusion. 


39 


Figure 7: The Automata in Example 1 


Let s°ats!...s"-1a"s" be a finite execution of SIOA A such that sig(A)(s”) = Ø. Then, without loss of 
generality, we assume that, for all t such that (s"~!,a",t) € steps(A), sig(A)(t) = Ø. That is, execution 
in state s”—! of a” per se, and not the choice of target state, determines that A is destroyed. We also 
assume that hiding is not used, so that a state and its configuration have the same signature, i.e., for every 
configuration automaton X, Vx € states(X): out(X)(x) = out(config(X)(x)), in(X)(x) = in(config(X)(x)), 
and int(X)(x) = int(config(X)(x)). 

Definition 30 (Terminating execution, terminating trace) Let s°a's!...s"~!a"s” be a finite execu- 
tion of SIOA A such that sig(A)(s”) = 0, and let a = s°a's!...s"~!a”, i.e., remove the final state s”. Then 
we say that a is a terminating execution of A. Define texecs(A) = {a | a is a terminating execution of A}. 
If 8 =  trace(a), then we say that B is a terminating trace of A. Define ttraces(A) = 
{8 | 8 is a terminating trace of A}. 


Note that we define a terminating execution to end in an action (which sets A’s signature to empty), and 
not in a state. This is due to Definitions 16 and 18, which remove an SIOA A when it has an empty 
signature, and hence the final state s, in which sig(A)(s) = Í, does not appear in any configuration of the 
containing configuration automaton X, i.e., there is no reachable state x of X and configuration C such that 
config(X)(a) = C and map(C)(A) = s. Thus, to define a notion of projection of an execution of configuration 
automaton X onto an SIOA A that is “inside” X, we have to define the terminating executions of A so that 
they omit the final state. We also extend the concatenation operator — so that it appends a single action: 
for a finite execution fragment a = s°a's'a?...a‘s' we define a ~a to be s°a'sta?...a's*a, i.e., a followed 


by a. 
Definition 31 (Projection of configuration automaton onto a contained SIOA, N) Let a = 


veatx!...cta’tta't!... be an execution of a configuration automaton X. Then allA is a sequence of exe- 
cutions of A, and results from the following steps: 
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1. insert a “delimiter” $ after an action a’ whose execution causes A to set its signature to empty, 


2. remove each xztatt! such that A ¢ auts(X)(z*), 


3. remove each x'a’t! such that aèt! g sig(A)(map(config(X)(x*))(A)), 
4. if a is finite, x = last(a), and A ¢ auts(X)(x), then remove z, 


5. replace each x* by map(config(X)(a*))(A). 


aÎA is, in general, a sequence of several (possibly an infinite number of) executions of A, all of which are 
terminating except the last. That is, aA = a! $ --- $a" where (Vj,1 < j < k : af € terecs(A)) Aa® € 
execs(A). 


Definition 32 (Prefix relation among sequences of executions, <,~<) Let al $- $ak and 
ô! $ --. $5" be sequences of executions of some SIOA. Define a! $ --» $a < 5'$ --- $66 iff k <LA(Yj,1 < 
j< k:a =) nak < 5. Ifal$---$a* <$. $5 andal$---$ak 4 5'$... $6" then we write 
al$.--$ak x 6'$--. $68. 


Definition 33 (Trace of a sequence of executions, strace,(at$---$a*)) Let at$---$a* be a 
sequence of executions of some SIOA A. Then strace 4(a'$ --- $a*) is trace (at) $ --- $ trace 4(a*), i.e., a 
sequence of traces of A, corresponding to the sequence of executions a! $ --- $a*. 


Note that we overload the delimiter $, and use it also in sequences of traces. It follows from Definition 31 
that a’ < a implies œ' ÌA < allA, where a’,a are executions of some configuration automaton. If a = 
ratx!...cta’tte't!... is an execution of some configuration automaton, then define trace(a, j,k) to be 


trace(aait++...a*x*) if j < k, and to be À (the empty sequence) if j > k. 


Definition 34 (Execution correspondence relation, Rag) Let a,m be executions of configuration au- 
tomata X,Y respectively. Then aRapn iff there exists a nondecreasing mapping 
m : {0,...,|a]} + {0,..., |r|} such that all of the following hold: 


1. m(0) = 0. 


2. VO Sj < |n| Aj Aw, H,0<i<lalAi Aw: mili) > j. 

3. Vi, 0 < i< lal Ai fw: tracey (mc-1)|t|m(a)) = tracex (i-1 lali). 

4. Vi, 0 < i < |a| Ai Aw: traceg((m(i-1)|t|m() IB) = trace a((i-1 laji) ITA). 
5. Vi,0 <i < lal Ai #w: config(X)(x*) daz config(Y)(y"™). 


Proposition 32 Let a,m be executions of configuration automata X,Y respectively. If aRapa, then 
trace x(a) = tracey (T). 


Proof: For finite executions, by induction on the length of a, using Clause 3 of Definition 34 to establish 
the inductive step. For infinite executions, apply the finite case for each prefix, and then take the limit with 
respect to prefix ordering. 


Lemma 33 (Execution correspondence) Let X,Y be configuration automata, and A,B be SIOA. As- 
sume that, 
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BY 


B has a single start state, and A, B do not destroy themselves by executing an internal action, 
. internal actions of A,B do not create any SIOA, i.e., have empty create sets, 


Va € start(X), Jy € start(Y) : config(X)(x) <p config(Y)(y), 
traces*(A) C traces*(B), 


. ttraces(A) C ttraces(B), and 


a TM KR ww o 


. X,Y are creation-corresponding w.r.t. A, B. 


Then 


Va € execs*(X), In € ezecs* (Y) : a RABT. 


Proof: Fix a = xla!zta?r? ... faf ttgit! 


to be an arbitrary finite execution of X. Let aA =a,$--- $a% 
for some k > 0, and where (Vj,1 < j <k: a, € ey and af € execs*(A). By Assumptions 4 and 
5, each such a7, has sat least one corresponding execution 7% which has the same trace. Thus there exist 
executions th,...,7 of B such that 

(Vj,1 < j <k: trace (a4,) = traceg(r)), 

(Vj,1<j<k: 74 € texecs(B)), and (AB) 

me € execs*(B). 


For the rest of the proof, fix these mb,...,7%. ee define prefizes(a} $ --- $a) = 
{€|ExXal$--- $ak} and fire jones (i Be oe “x | ae - $7}. Then it follows, from (AB), 
that there exists a mapping map : prefizes(a,$--- $a‘) > Cae $--- $r%) such that, for € € 


prefixes(a $--- $a), map(€) = x, where 


1. strace 4(&) = strace p(x) and 


2. for all x’ € prefires(a} $ --- $7%) such that strace4(€) = siment]; we have x < x’. That is, x is 
the least (with respect to the prefix ordering given by <) x’ such that strace 4 (£) = strace p(x’). 


We now establish (*): 


For every prefix a’ of a, there exists a 7’ such that 
1. 7’ is a finite execution of Y, 
2. a’ Rap’, and 


3. WB < abh$---$7% and magla ÙA) =r’ IB 


The proof is by induction on the length of a’. 


Base case: a/ = x°. Then 7’ = y? such that y? € start(Y) and config(X)(x°) <4g config(Y)(y°). y? 
exists by Assumption 3. 7’ is a finite (zero-length) execution of Y, since y? € start(Y). We now establish 
a’ Raptr’, i.e., Definition 34. Let m(0) = 0. Then clause 1 holds. Also clause 2 holds since a’, x’ both 
have length 0. Clauses 3 and 4 hold vacuously, because the range 0 < i < |a’| is empty: since a’ = x°, we 
have |a’| = 0, as a’ contains zero transitions. Clause 5 holds since config(X)(x°) <4B config(Y)(y°) and 
m(0) = 0. 


Finally, 7’ B is the (unique) start state of B, by Definition 31, and Assumption 1. Hence 'ÙB < 
TLS- $28. Also, mag(a' ÙA) = 7’ IIB, by definition of mag and config(X)(x°) dap config(Y)(y°). 
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Induction step: a! = a” ~ (xtatt!zit!) where a” = 2°a'z'a?x?...2°~'a'x'. The induction hypothesis 


is as follows: 


There exists a 7” such that 


1. 7” is a finite execution of Y, 


2. a Rap”, and (ind. hyp.) 


3. WTB srh- $ and magla” ÑA) = 7” ÑB 
We now extend x” to a finite z’ such that a’ Raga’. The induction step splits into eight cases, treated 
below. First, we establish some terminology and assertions that apply to all the cases. 


Let C; = config(X)(x"), Ciz41 = config(X)(z*t'). Also let m” = y°bty'b?y?...y2 tay’, and Dj = 
config(Y )(y’). By Constraint 2 of Definition 18, 


C; = Ci41 where y = created (X) (xt) (att). (a) 
Hence 
ait! © 5i9(X) (ai) and a*t! € (C), (b) 
since at! can be executed from x’, and C; = config(X)(a'). By a” Rap T” and Proposition 32, 
trace x(a") = tracey (m"), (c) 
and hence also 
ext(X)(x") = ext(Y)(y’), (d) 


since x',y’ are the last states of a”,7”, respectively. In the rest of the proof, let 8 = tracex(a”) = 
tracey (n). By a” RAs n” and Definition 34, we have 


j= m(t) and Ci <aB D;. (e) 
Suppose that att! € sig(Y)(y’). Then, by (b, c), Assumption 6, and Definition 29, we have 
created (Y )(y’)(a’*!) = created(X)(x')(a't')[B/A] if attt € sig(Y)(y?). (f) 


We now deal with each case of the induction step, in turn. 


Case 1: A ¢ auts(C;) and A ¢ auts(Cj41). 

By (e), Ci dap D;. Since A ¢ auts(C;), we have, by Definition 34, that C; = Dj. Since A ¢ auts(Cj+1), 
if follows that A ¢ created(X)(x')(a’*!) by Definitions 17 and 18. From (a), we have C; ae Ci41, where 
p = created(X)(x")(a’t!). Let Dj41 = Ci41. Then we have D; SS. Dj41. Hence at! € sig(D;), since 


ait! can be executed from D;. Hence a't! € sig(Y)(y?) by Definition 18. Hence created(Y)(y)(a’*?) = 
created(X)(a*)(a‘t+)[B/A] by (£). Since A ¢ created(X)(x')(a'*1), we have created(Y)(y’)(a't1) = 


itl 


created(X)(x")(a’t!). So letting y = created(Y)(y’)(a't!), we have w = y, and so Dj =y Dji1. 


5 eae i ; 7 attı eae 
By at! € sig(Y)(y’), Y = created(Y)(y’)(a't*), Dj =y Dj41, and Definition 18, we have 


a . att! A è 
Jyt! : yf —y yt? and Dj41 = config(Y )(y1™). 
Now let m’ = 1” ~ (yia*+1y+1). We now establish a' RaBn', T'ÙB < 1h$--- $78, and magla ÙA) = 
T' ÜB. 


Proof of a'Ragn': extend the mapping m by setting m(i + 1) = j +1. We deal with each clause of 
Definition 34 in turn. 
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Clause 1: holds since m(0) = 0 remains true. 
Clause 2: holds since |r| = j + 1. 


Clause 3: from above,  tracex(;jaliz1) = eat(X)(z*) ~ att? ~ eat(X)(x*t1) and 
tracey (m(i)llm(i41)) = eat(Y)(y™) walt) est(Y (yD) = ext(¥)(y2) sai! ~ext(Y (y+). By (A), 
ext(X)(x') = ext(Y)(y’). Also, ext(X)(x*t1) = ext(Ci41) = ext(Dj41) = ext(Y)(y’*), since Dj41 = Ci41. 
Hence trace x (;|a|i+1) = tracey (m(i)|T|m(i+1))- This and the induction hypothesis establishes Clause 3. 


Clause 4: since A ¢ auts(C;) and A ¢ auts(C;+1), A is not a participant in a’*!. Likewise B ¢ auts(D,;) and 
B € auts(Dj+1), and so B is not a participant in a’t'. Hence by Definition 31, trace 4((;|a|;+1) TA) is empty, 
and trace p((j|m|j;+1) ITB) is also empty. Since m(i) = j, m(i+1) = 7 +1, we have trace B((m(i)|4|m(i+-1)) ITB) 
is empty. Clause 4 follows from this and the induction hypothesis. 


Clause 5: we have, from above, Cj4; = Dj41, A Z auts(Ci41), B Z auts(Dj+41). Hence Ci41 dap Dj41, 
by Definition 28. Since C41 = config(X)(2't!), Dj41 = config(Y)(y’*!), we have config(X)(x*t') dap 
config(Y)(yi+1). Since m(i +1) = j +1, we have config(X)(a‘*1) <4g config(Y)(y™*)). Clause 5 follows 
from this and the induction hypothesis. 


Proof of m'\|B < 7h$---$7%: by the induction hypothesis, 7” |B < 7h$---$7%. We showed above 
(proof of Clause 4 of a’Rapr’) that B is not a participant in a’+!, and hence a//}B = n” B. Hence 
wIBX nh$-+- $75. 


Proof of map(a’llA) = 7’ I.B: we showed above (proof of Clause 4 of a’Rapn’) that A is not a participant 
in aft! and B is not a participant in a’t!. Hence a'ÙA = a” A, and m'ÙB = nr" B. By the induction 
hypothesis, mag(a” NA) = 7” ITB. Hence mag(œ' ÑA) = a’ ITB. 


Case 2: A ¢ auts(C;) and A € auts(Cj+1). 


By (e), Ci<4B D}. Since A ¢ auts(C;), we have, by Definition 34, that C; = D;. Since A ¢ auts(C;) and A € 
auts(Cj41), if follows that A € created(X)(«*)(a't!) by Definitions 17 and 18. By (b), att! € sig(C;). Hence 
ait! € sig(D;) since C; = D;. Hence att! € sig(Y)(y*) by Definition 18. Hence created(Y)(y)(a’*!) = 
created(X)(a*)(a‘t+)[B/A] by (£). So letting y = created(Y)(y’)(a't+) and y = created(X)(x*)(a’t"), we 
have ~ = y|[B/A]. 

Let s = map(Cj41)(A). Hence a' ÑA = a” MA $ s by Definition 31, and so o” ÑA < a’ ÙA. Also a’ < a, and 
so a NA <a’ ÑA < aÑA =a} $ --- $aġ. Hence a’ NA = a4 $ --- $a% for some £< k, since A ¢ auts(C;), 
and so the last execution in a” {TA must be a terminating execution in a} $ --- $a, and not merely a prefix 
of an execution in a4 $--- $a. It follows, by Definition 31, that s = first(a‘''), since a{*t is the next 
execution of A along a4 $--- $a. Also, from 7” ÌB = mag(a" TA) and definition of map, it follows that 
ee BS § << $r6. 

Now define D;+1 as follows. auts(Dj+1) = auts(Ci+1)[B/Al], and for all A’ € auts(Ci41)—{A} : map(Dj41)(A’) = 
map(Ci41)(A’), and map(Dj41)(B) = t where t = first(r''). It follows from (AB) that t € start(B) and 
ert(B)(t) = ext(A)(s). Hence by Definition 34, Ci41 dap Dj41. 


att! att! ee 
From (a), we have Ci =>, Ci41. Then we have Dj =y Dj+1, by Definition 17, y = y[B/A], A € y, and 


r — r 3 5 attt Na 
construction of Dj+1. By att! € sig(Y)(y’), Y = created (Y )(yf) (attt), Dj =>y Dj41, and Definition 18, 
we have 


; eatrFi y E 
Jyt! : yf y yt! and Dj41 = config(Y)(y?**). 


Now let m = n” ~ (yfatttyit1), We now establish a’ Rapn’, T < T} $- $r, and magla ÙA) = T ÌB. 


Proof of a'Ragn': extend the mapping m by setting m(i + 1) = j +1. We deal with each clause of 
Definition 34 in turn. 
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Clause 1: holds since m(0) = 0 remains true. 
Clause 2: holds since |z’| = j + 1. 


Clause 3: from above,  tracex(;jaliz1) =  eat(X)(z*) ~ att? ~ eat(X)(a*t1) and 
tracey aa ilaan = ext(Y)(y™) ~ att! A ext(¥ (yD) = ext(V)(y) a alt eat YQ"), 
By (d), ext(X)(z') = ext(Y)(y’). Also, ext(X)(a**!) = ert(Ci41) = ert(Dj41) = ext(Y)(y’t"), since 
Ci41 Sap Dj41. Hence tracex (ilali+1) = tracey (m()|t|ma+1)). This and the induction hypothesis estab- 
lishes Clause 3. 


Clause 4: tracea((iJa|i¢1) ITA) = ext(A)(s), and traceg((j\r|j+1)ÙB) = ert(B)(t), by Definition 31. By 
choice of t, ext(A)(s) = ext(B)(t), and so trace a((ilaliz7) ÑA) = tracep((j|7|j+1) IB). Clause 4 follows 
from this and the induction hypothesis. 


Clause 5: we have, from above, Cj+1 IAB Dj+1. Since Cj41 = config(X)(2'*'), Dj41 = config(Y)(y!*"), 
we have config(X)(a't') dap config(Y)(yt1). Since m(i + 1) = j +1, we have config(X)(x*t1) <4p 
config(Y)(y™¢+)). Clause 5 follows from this and the induction hypothesis. 


Proof of 7’ \|B < rh $ --- $2: we showed above that n” B = rh $ --- $76, where £< k. By Definition of 
M, m ÌB = n” B $t, where t = first(n?). Hence 7’ [|B x r$- $ we by Definition 32. 


Proof of map(a' ÙA) = 7’ IB: by construction, a/ ÙA = a” MA $s and m'ÙB = n” ÌB $t. By the induction 
hypothesis, map(a” ÑA) = 7” B. We showed above that ext(A)(s) = ext(B)(t). It follows, from Definition 
of map, that magla ÑA) = v ÌB. 


Case 3: A € auts(C;), A € auts(Cj41), and att! ¢ sig(A)(s), where s = map(C;)(A). 


By (e), Ci <4B D;. Hence B € auts(D;). From (a), we have C; a Ci+1, where ọ = created (X) (xt) (attt). 
By (b), a’*! € sig(C;). Let t = map(D;)(B). Then ezt(A)(s) = ext(B)(t), since C; <48 Dj. By the case 
assumption, att! ¢ sig(A)(s), and so at! ¢ ext(A)(s). Hence att! ¢ ert(B)(t), since ext(A)(s) = ext(B)(t). 


Now assume att! € int(B)(t). By signature compatibility, a’*! is not an action of the current signature of 


any SIOA A’ in auts(D;) other than B. We have B ¢ auts(C;), since we assume that X never creates B. So 
by Ci <4B Dj and att! ¢ sig(A)(s), we conclude that at! ¢ sig(C;), since C;, D; contain the same SIOA in 
the same states, apart from A, B. This contradicts aft! € sig(C;) established above. Hence our assumption 
is false, i.e., a’t! ¢ int(B)(t). From this and a't! ¢ éxt(B)(t), we infer ait! ¢ sig(B)(t). 


Now define D;+1 as follows. auts(Dj+1) = auts(Ci+1)[B/A], for all A’ € auts(Ci41)—{A} : map(Dj+41)(A’) = 
map(C;41)(A’), and map(D;+1)(B) = map(D;)(B) = t. That is, Dj+ı consists of the same SIOA as Ci+1, 
except that A is replaced by B. SIOA other than A, B have the same state in Dj+41 as in Cj41. B has the 
same state in Dj+4; as in D;. Hence Cj41 dag Dj41, by Definitions 17 and 28. 


By (b), at! € sig(C;). Since at! g sig(A)(s), it follows that aft! is in the signature of some SIOA 
A’ of Ci. By Ci dap Dj, A’ is also an SIOA of Dj, and has the same state in D; as in Cj, i.e., 
map(D;)(A’) = map(C;)(A’). Hence a't! € sig(D,) by Definition 16. Hence at! € sig(Y)(y?) by 
D; = config(Y)(y?) and Definition 18. So created(Y)(y/)(a’t!) = created(X)(x')(a’*!)[B/A] by (£). So 
letting Y = created(Y)(y’)(a’t+) and y = created(X)(a")(a‘t'), we have w = y[B/Al. 


Since A € auts(C;) and B € auts(D,;), the presence of A in y, B in Y, makes no difference to the execution 
of transitions from C;, D}, respectively, by Definition 17, since A, B are already alive. Now C; <4B Dj, 


i+1 i+1 
Ci41 Jap Dj41, and i =; Ci41. Hence D; >y Dj+1, by these, Y = [B/A], and Definition 17, since 
A, B do not participate in the execution of attt. 


j, nT j ; j aitt eye 
By at! € sig(Y)(y’), Y = created(Y)(y’)(a't*), Dj =y Dj41, and Definition 18, we have 
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aiti ] 
Jyt : y? —sy yt? and Dj41 = config(Y )(y1*t). 

Now let m = 1” ~ (yia*+1y+1). We now establish a' RaBn', T'ÙB < rb $--- $78, and magla’ ÙA) = 
T'ÎB. 


Proof of aœ'Rapgn': extend the mapping m by setting m(i + 1) = j + 1. We deal with each clause of 
Definition 34 in turn. 


Clause 1: holds since m(0) = 0 remains true. 
Clause 2: holds since |r| = j + 1. 


Clause 3: from above,  tracex(;jaliz1) =  eat(X)(z*) ~ ait? ~ eat(X)(ax*t1) and 
tracey (m()|Tlmeit1)) = tY (yO) oat n est(Y ) (yD) = ett(Y)(yf) na"? [~ ezt(Y) (y+). By (d), 
eat(X)(x") = at) yA). Now config(X)(a**1) = Ci41, config(Y)(yt') = Dj41. Also Ci41 dap Dj41, and 
so ezt(Ci+1) = ext(Dj41). Hence ert(X)(a’*!) = ext(Cj41) = ext(Dj+41) = ext(Y)(y’t"). We finally obtain 
ext(X)(2*) ~ att] ~ ext(X)(a*t!) = ext(Y)(y’) ~ at! ~ eat(Y)(yt"). Hence tracey (ma |tlmo+1)) = 
tracex (;\a|;+7). Together with the induction hypothesis, this establishes Clause 3. 

Clause 4: from above, trace4((i/a|i+7)ITA) = ert(A)(s), and traceg((;|7|;41)I1B) = ext(B)(t). By choice 


of t, ert(A)(s) = ext(B)(t), and so trace 4((ila|iz1) TA) = traceg((;|7|;+1) 1B). Clause 4 follows from this 
and the induction hypothesis. 


Clause 5: from above, Ci41 IaB Dj41. Since Cixi = config(X)(a***), Dj+ı = config(Y )(y’*"), we have 
config(X)(a*+!)<a,pconfig(Y)(y!t). Since m(i+1) = j+1, we have config(X)(a*t!)<apconfig(Y) (yr). 
Clause 5 follows from this and the induction hypothesis. 


Proof of ITB < mh$--- $k: att! g sig(B)(t) was shown above, and so we have 7/I}B = 7B by 
Definition 31. Now 7” ÑB < ni $ --- $78 by the induction hypothesis, and so we are done. 


Proof of magla ÑA) = m' ÌB: att! g sig(A)(s) by assumption, and so we have a’|[A = a” A by Defi- 
nition 31. Since at! ¢ sig(B)(t), we have 7/||B = n” ÌB by Definition 31. By the induction hypothesis, 
magla” ÙA) = 7” B, and so we are done. 


Case 4: A € auts(C;), A € auts(Ci41), and att! € ext(A)(s), where s = map(C;)(A). 


( 
By (e), Ci <ap Dj. Hence B € auts(D;). Also, » by Proposition 31, ert(C;) = eat(D;). By a! € 
ert(A)(s), A € auts(C), and Definition 16, a‘+! € ext(C;). Hence at! € ext(D;) since ert(C;) = en? Ae 
Hence att! € sig(Y)(y2) by Definition 18, since D; = config(Y)(y*). Hence created(Y anat 7 = 
created(X)(x*)(a’*!)[B/A] by (£). So letting y = created(Y)(y7)(a’**!) and y = created(X)(x*)(a‘**), 
we have w = y[B 


Let s’ = map(Cj41)(A). Hence a’ [TA = a” ITA ~ (s,a’*1, s’) by Definition 31, and so a” [TA < a’ |TA. Also 
a’ <a, and soa” ÑA <a'llA < allA=a4$--- $aX. Hence a”! ITA =a} $- $a4 $09" for some l < k, 
where o < ag. Note that ee < ag by construction, and that ea" # an, since Gy cannot be a 
terminating execution of A, as A € auts C; ), and so A is still alive at tha end of a” 


From 7” ÌB = mag(a” ÑA) and definition of map, it follows that 7” ÌB = pe . $r $K, where 
tracea (09) = tracep(Kig'), and KI < rg. Recall that, by (AB), we have tracea (ast) = traceg(rg'). 


By definition of mag, we have th < nett since a < at, 


Let t = map(D;)(B). Then ezt(A)(s) = ert(B)(t) since C; JAB D;. Now let ôg be the unique execution 
fragment of B such that Ki! ~ ôg < Tg (i.e., dp extends K" along mg) and 7” B> ôg = magla A) 
(i.e., Og is the unique extension that EE to the image of a' A under m 4p—see definition of m4 B). 
It follows, from the definition of mp, that first(5g) = t and that ôg = 88t ~ (a’t!,t’), where 6%" consists 


entirely of internal actions that do not change the external signature of B, and so trace pg (03+) = ext(B)(t). 
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Also, t’ is such that ert(A)(s’) = ext(B)(t’), by (AB). 

Now extend 7” by executing the actions along 6%’, starting from last(m’’). Let y’ be the last state of the 
resulting execution. In y’, aft! can be executed by Y. This is because, at this point, B can execute attt, 
since 6%" ~ (aft! t) is an execution fragment of B. If att! has any other participant SIOA, then these have 
the same state in y’ as they do in Cj, since C; dap Dj. So a’*! can be executed from y’. Let the resulting 
execution, including a‘t!, be x’. Let last(x’) = yf, where j! = j + |6%| +1. Let Dj: = config(Y)(y" ). 
Hence, by construction of 7’, map(D;’)(B) = t’. We now show that Ci41 dag Dj. Let A’ € auts(C;) — {A}. 
Then A’ € auts(D,;), and map(C;)(A’) = map(D,;)(A’‘), since Ci <ag D;. Also, in transitioning from C; to 
Ci+1, each A’ either does nothing, and so remains in the same state, or it participates in the execution of 
atl, possibly destroying itself as a result. Likewise, in transitioning from D; to Dj, each A’ either does 
nothing, and so remains in the same state, or it participates in the execution of a‘, since 5%* consists 
entirely of internal actions of B, and no A’ € auts(C;) — {A} can be B, by construction. Hence, the local 
transitions of the A’ (when executing att!) can be chosen to be the same in Y as in X, and so the same A’ 
destroy themselves in Y as in X, and the surviving A’ have the same final states in Y as in X. Also, 6% 
creates no new SIOA, by Assumption 2, since its actions are all internal actions of B. We have w = [B/A] 
from above. Hence the same SIOA are created by the transitions (2?,a’t!, zit!) and (y',a‘t!, yf), since 
A, B are present in the configurations of x’, y’, respectively, and executing the actions along 5% does not 
change the trace, so that 7 is still the set of SIOA created by attt, according to Definition 29. Therefore 
we can choose (y’,a‘t!, yf) so that it creates these new SIOA in the same start states that (xt, att! gît!) 
does. We conclude that (except for A, B) Ci+ı and Dj end up with the same SIOA in the same states, i.e., 
auts(Dj-) = auts(Ci41)[B/A] and for all A’ € auts(Ci41) — {4} : map(Ci41)(A’) = map(D;)(A’). Finally, 
map(C;41)(A) = s’, map(D;)(B) = t, and ezt(A)(s’) = ext(B)(t’) from above. Hence the conditions of 
Definition 28 all hold, and so Ci41 dap Dy. 


We now establish a/Rapr’, a’ ||B < rh $- Sas, and magla ÑA) =7'IIB. 


Proof of a’ Rag’: extend the mapping m by setting m(i+1) = 7’. We deal with each clause of Definition 34 
in turn. 


Clause 1: holds since m(0) = 0 remains true. 


Clause 2: holds since |r| = j’. 

Clause 3: from above, tracey (mciy|t|mcit1)) = ext(Y)(y2) > ait! ~ ext(Y)(y’'), since 5%" is an execu- 
tion fragment consisting entirely of internal actions of B which do not change the external signature of 
B. Also, tracex(i\aliz1) = ext(X)(2*) ~ att? ~ ext(X)(x*t). By (d), ext(X)(x*) = eat(Y)(y’). Now 
config(X)(a*+!) = Cii, config(Y)(y?) = Dy. Also, Ci41 <lag Dj, and so ext(Ci41) = ext(D;). Hence 
ext(X)(a**1) = ext(Ci41) = ext(Dj) = ert(Y)(y? ). We finally obtain ext(X)(2*) ~ att! ~ ert(X) (ait) = 
ext(Y)(y2) ~ att! ~ ext(Y)(y* ). Hence tracey (m(i)|Tlma+1)) = trace x (;|a|i+1). Together with the induc- 
tion hypothesis, this establishes Clause 3. 

Clause 4: (;|a|;41)ITA = s,a°*1, 8’, so trace 4((jla|i+1) A) = ext(A)(s) nat! [~ ert(A)(s’). G|a]j41) 1B = 
ôB = 6% ~ (att! t), so tracen((j|t|;41) IB) = tracep (6%) ~ a't! ~ ext(B)(t') = ext(B)(t) œ attt ~ 
eat(B)(t’) since trace p(d%"") = ext(B)(t). From above, ext(A)(s) = ext(B)(t) and ext(A)(s’) = ext(B)(t’). 
Hence trace 4((ilali+1) TA) = traceg((j|7|j;+1) IB). Clause 4 follows from this and the induction hypothesis. 


Clause 5: we have, from above, Ci+1 <ap Dj. Since Ci41 = config(X)(a**!), Dy = config(Y)(y” ), we have 
config(X)(a*+!) aap config(Y)(y*). Since m(i+ 1) = 7’, we have config(X)(a*t!) dap config(Y)(y™@). 
Clause 5 follows from this and the induction hypothesis. 


Proof of 7’ \|B < Tt} $ --- $x: from above, 7’ results by extending 7” with the actions along 5%’, followed 
by the transition (y',att!, yf). Hence a/I[B = n" ÌB > dg, since ôg = Bt ~ (att! 2’). Also, x IIB = 
ThS- $26 SKE, so m B= rh S- Sarh Sng 3 bp. We also have Kt ~ dp < rg by our choice of 


ôg. Hence a’ |B < 7} $ --- $r, and so NB <r} S- $7. 
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Proof of map(a’ ÙA) = n' ÌB: from immediately above, m' ÙB = n” ITB 6g. Also from above, t” ÙB~—ôg = 
magla lA), by our choice of 6g. Hence v’ ÌB = r” |B >g = mag(œ ÑA). 


Case 5: A € auts(C;), A € auts(Cj41), and aft! € oe where s = map(C;)(A). 


Let s = map(Ci+1)(A). Hence a’ ÙA = a” ÑA ~ (s,a°*1, s’) by Definition 31, and so a” ÑA < a’ ITA. Also 
a’ < a, and so a” ÑA < a’ IITA < aA = ah $-- gs Hence o” [A = ag: -$a4,$05"" for some 
L< k, where o < ag". Note that eo F a, since o cannot be a terminating execution of A, as 
A € auts(C;), and so A is still alive at the end of a”. Hence 04°" < aff?. 


From 7” |B = magla” A) and definition of map, it follows that m” ÌB = t$ $--- $76 Gig where 
trace 4(04*") = tracep(Kig'), and KI < rg". Recall that, by (AB), we have trace 4(a an trace p (mg *). 


By definition of mag, we have fh < with, since a < oft, 


By (e), Ci<4B Dj. Hence B € auts(D;). Let t = map(D,)(B). Then ext(A)(s) = ext(B)(t) since Ci <48 Dj. 
Now let ôg be the unique execution fragment of B such that Kf}! ~ ôg < mh"! (Le., 6g extends KG! along 
m+) and 7” ÙB—ôg = magla TA) (i.e., dg is the unique extension that corresponds to the image of a’ || A 
under map—see definition of mag). It follows, from the definition of mp, that first(dg) = t and that 
dp consists entirely of internal actions of B, and that traceg(dg) = trace,((s,a’t', s’)). Let t = last(dp). 


Then it also follows by (AB) that ext(A)(s’) = ert(B)(t’). 


Now extend 7” by executing the actions along dp, garung from last(n”). Let the resulting execution be 
n’. Let last(r’) = y? where j’ = j + |dp|. Let Dj = config(Y)(y" ). Hence, by construction of 7’, 
map(D,;)(B) =t’. We now show that Ci41 dap Dy -Let A’ € auts(C;) — {A}. Then A’ € auts(D;), since 
Ci <4B Dj. Also, in transitioning from C; to Ci+1, each A’ does nothing, and so remains in the same state, 
since aft! is an internal action of A. Likewise, in transitioning from D; to Dj, each A’ does nothing, and 
so remains in the same state, since dg consists entirely of internal actions of B. Hence, the A’ have the 
same final states in Y as in X, By Assumption 2, no new SIOA are created by executing at! in X, nor 
by executing dg in Y, since att is an internal action of A, and 6g consists entirely of internal actions of 
B. We conclude that (except for A, B) Ci+ı and D; end up with the same SIOA in the same states, i.e., 
auts(D;-) = auts(Ci41)[B/A] and for all A’ € auts(Ci41) — {A} : map(Ci41)(A’) = map(D;)(A’). Finally, 
map(Ci41)(A) = s’, map(D;)(B) = t, and ezt(A)(s’) = ext(B)(t’) from above. Hence the conditions of 
Definition 28 all hold, and so Ci41 <p Dy. 


We now establish a’ Raga’, t ÙB < th $--- $r, and map(a’ ÙA) = T IB. 


Proof of a’ Rag’: extend the mapping m by setting m(i+1) = 7’. We deal with each clause of Definition 34 
in turn. 


Clause 1: holds since m(0) = 0 remains true. 
Clause 2: holds since |r| = j’. 


Clause 3: tracey (m(i)|Tlm(i+1)) = r(eaxt(Y)(y?) > ert(Y)(y/)), where r is given by Definition 11. This is 
because 6g is an execution fragment consisting entirely of internal actions of B, and which is trace equal 
to (s,a’t+, s’). Hence dg can be partitioned into two parts, each of which has ihe same external signature 
along all its states. Also trace x (ilaļi+1) = r(eat(X)(2") ~eat(X)(ax**1)). By (d), ext(X)(x') = ext(Y)(y?). 
Now config(X)(x**1) = Ci41, config(Y)(y) = D; Also, Ci41 IaB Dy, and so ext(Ci41) = ext(D;:). 
Hence est(X) (xt!) = ext(Cji41) = ezt(D;) = ext (Y) (yi i). We finally T ext(X)(x*) > eat(X)(z**!) = 
ext(Y)(y4) > eat(Y)(y"). Hence tracey (m(i)|T|m(i+1)) = tracex(:\|aliz1). Together with the induction 
hypothesis, this establishes Clause 3. 


Clause 4: from above, (ilaļi+1) ÑA = s,a’*!,s’ and (;|7|;41)I1B = 5g. Also from above, tracep(ôB) = 
trace 4((s,a't', s’)). Hence trace 4((ja|;+1) ITA) = tracea((j|7|;+1)/1B). Clause 4 follows from this and the 
induction hypothesis. 
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Clause 5: we have, from above, Ci+1 <ap Dj. Since Ci41 = config(X)(a**!), Dy = config(Y)(y” ), we have 


config(X)(a*+!) aap config(Y)(y*). Since m(i +1) = 7’, we have config(X)(a*t!) dap config(Y)(y™@). 
Clause 5 follows from this and the induction hypothesis. 


Proof K T'ÙB < TŁ$--- $76: from above, 7’ results by extending 7” with the actions along ôg. Hence 

x ÌB = n" ÌB ~ dp, since 6g consists entirely of internal actions of B. Also, n” ÌB =r} $- $r6 $K. 

Hence TB = T$- $76 $k! ~ dg. We also have K! ~ p < mG! by our choice of ôg. Hence 
1 


WiBx rp -- Sr, and so 7’ |B < T} $- $x. 


Proof of magla ÑA) = 7' ÌB: from immediately above, 7’ ÌB = nr” |B 6g. Also from above, n” |B 65 = 
map(a'|lA), by our choice of ôg. Hence a’ ÌB = 7” ÌB > êg = magla’ ÑA). 


Case 6: A € auts(C;), A ¢ auts(Ci41), and ait! ¢ sig(A)(map(C;)(A)). 


Since A € auts(C;) and A ¢ auts(Cj41), then in the execution of att, A must set its signature to empty. 
Hence A must be a participant of att}, so that att! € sig(A)(map(C;)(A)). Hence this case is not possible. 


Case 7: A € auts(C;), A € auts(C;41), and att! € ext(A)(s), where s = map(C;)(A). 


By (e), Ci dap D;. Hence B € auts(D,). Also, »,_by Proposition 31, ext(C i) = ext(D;). By at! € 
ert(A)(s), A € auts( Ci), and Definition 16, a‘+1 € ext(C;). Hence a't! € ext(D;) since ext(C;) = ert(D,). 
Hence att! € sig(Y)(y’) by Definition 18, since Dj = config(Y)(y’). Hence created(Y)(y/)(a't!) = 
created(X)(a*)(a‘t+)[B/A] by (£). So letting y = created(Y)(y/)(a’t') and p = created(X)(2x')(a‘**), 
we have w = »[B/A]. 


Now a’ A = a” ae (s att!) by Definition 31. Also a’ < a, and so a” ÑA < a' ÑA < aA =a4 $- $aġ. 
Hence o” ÑA = a4 $- . $03 where ogr Plage |= oft for some £ < k, since A is ieai by the 
execution of a’*!, and so the last execution in a’ A must a a terminating execution. 


From 7”ÌB = mag(a" lA) and definition of map, it follows that a” ÌB = n4 $- $r $K, where 
tracea (09) = tracep(Kig'), and KI < rg". Recall that, by (AB), we have trace 4(a anz tracep(rg"). 


Let t = map(D;)(B). Then ezt(A)(s) = ext(B)(t) since C; <4g D;. Now let ôg be the unique execution 
fragment of B such that Ki! —~ ôg < TG! (ie., Ôg extends Ki! e mgt) and 7” B> ôg = magla ÑA) 
(i.e., 0g is the unique extension that corresponds to the image of o' ÑA under mapg—see definition of map). 
It follows, from the definition of map, that dg = 6% ~a‘t!, where 6%” consists entirely of internal actions 
that do not change the external signature of B. This is because B must, by assumption, destroy itself using an 
external action. Thus, by (AB), the destroying action must be attt. Hence also Kg! aOR = =e since B is 


destroyed at the end of dg. Also by construction of dg and (AB), first(ég) = t snd trace p (63+) = ext(B)(t). 


Now extend 7” by applying the actions along ôg, starting in last(z’’). Let the resulting execution be 7’. 
Hence last(x’) = y? where j’ = j + |6i*| + 1. Let Dj: = config(Y)(y? ). We now show that Ci41 <48 Dy. 
Let A’ € auts(C;) — {A}. Then A’ € auts(D;), since C; dag Dj. Also, in transitioning from C; to Ci41, 
each A’ either does nothing, and so remains in the same state, or it participates in the execution of attt, 
possibly destroying itself as a result. Likewise, in transitioning from D; to Dj, each A’ either does nothing, 
and so remains in the same state, or it participates in the execution of at}, since 5% consists entirely of 
internal actions of B, and no A’ € auts(C;) — {A} can be B, by construction. Hence, the local transitions 
of the A’ (when executing at!) can be chosen to be the same in Y as in X, and so the same A’ destroy 
themselves in Y as in X, and the surviving A’ have the same final states in Y as in X. Also, 6%" creates 
no new SIOA, by Assumption 2, since its actions are all internal actions of B. We have w = iB /A] from 
above. Hence the same SIOA are created by the transitions (‘,a’*!, 2+!) and (y’,a‘*, y7), since A, B are 
present in the configurations of x’, y’, respectively, and executing the actions along 6%’ does not change 
the trace, so that 7 is still the set of SIOA created by attt, according to Definition 29. Therefore we can 
choose (y’,a’*!, yf) so that it creates these new SIOA in the same start states that (x‘,a't!,x'+!) does. 


49 


We conclude that (except for A, B) Cj41 and D; end up with the same SIOA in the same states, i.e., 
auts(Dj) = auts(Cj41)[B/A] and for all A’ € auts(Ci+1) — {A} : map(Ci41)(A’') = map(D,')(A’). Pe 
A ¢ auts(Cj41) and B ¢ auts(D,;-). Hence the conditions of Definition 28 all hold, and so Ci+1 dap Dy 


We now establish a’Rapt’, T'ÙB < rb $--- $r, and magla ÙA) = v ÑB. 


Proof of o/ Ragn’: extend the mapping m by setting m(i+1) = 7’. We deal with each clause of Definition 34 
in turn. 


Clause 1: holds since m(0) = 0 remains true. 
Clause 2: holds since |r| = j’. 


Clause 3: tracey (m(i)|T|m(i+1)) = eat(Y)(y2) ~ at! ~ ezt(Y)(y7). This is because 6%* is an execu- 
tion fragment consisting entirely of internal actions of B which do not change the external signature. 
Also tracey (ilaļli+1) = ext(X)(z"*) m att ~ eat(X)(x**). By (d), eat(X)(x*) = ext(Y)(y’). Now 
config(X)(a**!) = Cii, config(Y)(y? ) = Dy. Also, Ciyı <ap Dy, and so ext(Ci41) = ext(D;:). Hence 
eat(X)(x*t1) = ext(Ci4i) = ext(D; 1) = eat(Y)(y"). We finally obtain ert(X)(a') ~at! ~ ert(X)(a**1) = 
ext(Y)(y2) > att! A ext(Y)(y" ). Do tracey (m(i)|T|m(i+1)) = tracex (ila|i+1). Together with the induc- 
tion hypothesis, this establishes Clause 3. 
Clause 4: (lali) ÑA = s,aftt, so tracea((s|ali¢1) ITA) = ert(A)(s) ~ a't! since A ¢ auts(Ci41). 
Gltlj41) 1B = 6p, so tracep((j|7|;41) 1B) = traceg(ôB) = traceg (dt ~at!) = ext(B)(t) ~at}, since 
B ¢ auts(D;-). From above, ext(A)(s) = ext(B)(t). Hence trace 4((;a|i+1) IA) = traceg((j|a|;+1) ITB). 
Clause 4 follows from this and the induction hypothesis. 


Clause 5: we have, from above, Ci+1 <p Dj. Since Ci41 = config(X)(a**!), Dy = config(Y)(y” ), we have 


config(X)(a'+!) aap config(Y)(y"). Since m(i +1) = j’, we have config(X)(a't") <4B config(Y)(y™). 
Clause 5 follows from this and the induction hypothesis. 


Proof of |B < 1} $---$7%: from above, 7’ ig n” extended by the actions along bs, and so 7’ |B = 

n” \|B ~6p by construction of ôg. Also, t” |B = 7h $ --- $74 $ REN Hence n' NB =r} $- $769 ae na 

pg We also have KAT ~g < i by our choice of “i Hence m' ÌB < T} $. Sait, and so n’/|1B < 
1 k 

ni$- $rh. 


Proof of maB(aœ' ÑA) = n' ÌB: from immediately above, m' ÙB = n” ÙB~— ôg. Also from above, 7” |B ~dp 
map(a'|lA), by our choice of ôg. Hence a’ ÌB = n” ÌB > êg = magla’ ÑA). 


Case 8: A € auts(C;), A ¢ auts(Ci+1), and attt € int(A)(map(C;)(A)), i.e., a't! is an internal action of A. 


By Assumption 1, A does not destroy itself by executing an internal action. Hence this case is not possible. 


Having established the induction step in all cases, we conclude that (*) holds. Since a’ is any prefix of a, 
we can instantiate a’ to a, which gives us that there exists 7 such that a R4pg 7, and we are done. 


Theorem 34 (Monotonicity of finite-trace inclusion w.r.t. SIOA creation) Let X,Y be configura- 
tion automata, and A, B be SIOA. Assume that, 


1. B has a single start state, and A, B do not destroy themselves by executing an internal action, 


2. internal actions of A,B do not create any SIOA, i.e., have empty create sets, 


3. Va € start(X), dy € start(Y) : config(X)(x) dap config(Y)(y), 
4. traces*(A) C traces*(B), 
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5. ttraces(A) C ttraces(B), and 


6. X,Y are creation-corresponding w.r.t. A, B. 


Then 
traces*(X) C traces*(Y). 


Proof: Immediate from Lemma, 33 and Proposition 32. 


Theorem 35 (Monotonicity of trace inclusion w.r.t. SIOA creation) Let X,Y be configuration au- 
tomata, and A, B be SIOA. Assume that, 


1. B has a single start state, and A, B do not destroy themselves by executing an internal action, 


2. internal actions of A,B do not create any SIOA, i.e., have empty create sets, 
3. Va € start(X), dy € start(Y) : config(X)(x) dap config(Y)(y), 
4. traces*(A) C traces*(B), 
5. ttraces(A) C ttraces(B), and 
6. X,Y are creation-corresponding w.r.t. A, B. 
Then 


traces(X) C traces(Y). 


Proof: Let a = x°a'z'a?x?... be an arbitrary execution of X. We show that there exists a “corresponding” 
execution 7 of Y such that a Rag m. Proposition 32 then implies trace(aw) = trace(a’), which yields the 
desired traces(X) C traces(Y). 


If a is finite, then the result follows from Lemma 33. So, we assume that a is infinite. Let a, be an arbitrary 
prefix of a. Then, by Lemma 33 there exists a finite execution mı of Y such that a; RAs m1. Likewise, if 
Q1 < Q@2 and a2 < a then there exists a finite execution m2 of Y such that ag RAB T2. Furthermore, we can 
show that 71, < 72 since 72 can be chosen to be an extension of 71, as the proof of Lemma 33 constructs 71 
and then 72 by induction on their length. 


Since a is infinite, there exists an infinite set {a; | i > 0} of finite executions of X such that Vi > 0: a; < 
Qi41 AQ; < a. Repeating the above argument for arbitrary i > 0, we obtain that there exists an infinite 
set {7; | i > 0} of finite executions of Y such that Vi > 0: m; < mi41 A Qi Rap Ti. Now let m be the unique 
infinite execution of Y that satisfies Vi > 0: m; < a. Then, by Definition 34, œ RAB T, and so 7 is the 
required execution of Y. 


Corollary 36 (Trace equivalence w.r.t. SIOA creation) Let X,Y be configuration automata, and A, B 
be SIOA. Assume that, 


1. A, B have a single start state, and A, B do not destroy themselves by executing an internal action, 


2. internal actions of A,B do not create any SIOA, i.e., have empty create sets, 


3. Va € start(X), dy € start(Y) : config(X)(x) dap config(Y)(y) and 
Vy € start(Y), da € start(X) : config(Y)(y) dpa config(X)(x), 
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4. traces*(A) = traces*(B), 
5. ttraces(A) = ttraces(B), and 


6. X,Y are creation-corresponding w.r.t. A, B. 


Then 
traces(X) = traces(Y). 


Proof: Immediate by applying Theorem 35 in both directions of trace containment. Note that we use <8A 
to mean <4g with the roles of A, B interchanged, and that created(Y)(y)(a) = created(X)(x)(a)[B/A] iff 
created (Y )(y)(a)[A/B] = created(X)(x)(a). 


In Section 8 below, we present an example of a flight ticket purchase system. A client submits requests to 
buy an airline ticket to a client agent. The client agent creates a request agent for each request. The request 
agent searches through a set of appropriate databases where the request might be satisfied. Upon booking a 
suitable flight, the request agent returns confirmation to the client agent and self-destructs. A typical safety 
property is that if a flight booking is returned to a client, then the price of the flight is not greater than 
the maximum price specified by the client. The request agent in this example searches through databases 
in any order. Suppose we replace it by a more refined agent that searches through databases according to 
some rules or heuristics, so that it looks first at the databases more likely to have a suitable flight. Then, 
Theorem 34 tells us that this refined system has all of the safety properties which the original system has. 


7 Modeling Dynamic Connection and Locations 


We stated in the introduction that we model both the dynamic creation/moving of connections, and the 
mobility of agents, by using dynamically changing external interfaces. The guiding principle here, adapted 
from [26], is that an agent should only interact directly with either (1) another co-located agent, or (2) a 
channel one of whose ends is co-located with the agent. Thus, we restrict interaction according to the current 
locations of the agents. 


We adopt a logical notion of location: a location is simply a value drawn from the domain of “all locations.” 
To codify our guiding principle, we partition the set of SIOA into two subsets, namely the set of agent SIOA, 
and the set of channel SIOA. Agent SIOA have a single location, and represent agents, and channel SIOA 
have two locations, namely their current endpoints. We assume that all configurations are compatible, and 
codify the guiding principle as follows: for any configuration, the following conditions all hold, (1) two agent 
SIOA have a common external action only if they have the same location, (2) an agent SIOA and a channel 
SIOA have a common external action only if one of the channel endpoints has the same location as the agent 
SIOA, and (3) two channel SIOA have no common external actions. 


8 Extended Example: A Travel Agent System 


Our example is a simple flight ticket purchase system. A client requests to buy an airline ticket. The 
client gives some “flight information,” f, e.g., acceptable departure and arrival times, departure city and 
destination city. The client also specifies a maximum price f.mp they can pay. f contains all the client 
information, including mp, as well as an identifier that is unique across all client requests. The request 
goes to a static (always existing) “client agent,” who then creates a special “request agent” dedicated to 
the particular request. That request agent then visits a (fixed) set of databases where the request might be 
satisfied. If the request agent finds a satisfactory flight in one of the databases, i.e., a flight that conforms 
to f and has price < mp, then it purchases some such flight, and returns a flight descriptor fd giving the 
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flight and the price paid (fd.p) to the client agent, who returns it to the client. The request agent then 
terminates. To abstract away from the details of conforming to a clients flight information, we assume a 
predicate conforms(fd, f) that holds when the flight given by fd satisfies the arrival/deprture times and cities 
of the client request f. We assume a set F of flight descriptors, and a static set D of database agents. We 
also assume that both the client flight information f, and the returned flight descriptor fd, are elements of 
F 


The agents in the system are: 


1. ClientAgt, who receives all requests from the client, 
2. ReqAgt(f), responsible for handling request f, and 


3. DBAgt,,d € D, the agent (i.e., front-end) for database d, where D is the set of all databases in the 
system. 


We augment the pseudocode used in the mobile phone example by identifying SIOA using a “type name” 
followed by some parameters. This is only a notational convenience, and is not part of our model. 


Figure 8 presents a specification automaton, Spec, which is a single SIOA that, together with the databases, 
specifies the set of correct traces. That is, can take the specification to be Spec || (||acp DBAgt,). However, 
as we see below, it is simpler, and just as effective, to take the specification to be Spec, i.e., to exclude the 
databases from the specification. 


Figures 9, 10, and 11 give the client agent, request agents, and database agent of an implementation, 
respectively. When writing sets of actions, we make the convention that all free variables are universally 
quantified over their domains, so, e.g., {informa(/, flts), confa(fd, ok?)} within action selectg(f) below really 
denotes {informa(f, flts), confa(fd, ok?) | fd € F, fits C F, ok? € Bool}. 


In the implementation, we enforce locality constraints by modifying the signature of RegAgt(f) so that it 
can only query a database d if it is currently at location d (we use the database names for their locations). 
We allow RegAgt(f) to communicate with ClientAgt regardless of its location. A further refinement would 
insert a suitable channel between RegAgt(f) and ClientAgt for this communication (one end of which would 
move along with RegAgt(f)), or would move ReqgAgt(f) back to the location of ClientAgt. 


We now give the client agent and request agents of the implementation. The initial configuration consists 
solely of the client agent ClientAgt. We also give the database agents, which we can view as being “external” 
to the system, since we do not consider their details in arguing trace inclusion. We provide the databases 
for sake of completeness, and to demonstrate that we can reason even in the absence of major components, 
i.e., we can reason about “open” systems. 


ClientAgt receives requests from a client (not portrayed), via the request input action. ClientAgt accumulates 
these requests in regs, and creates a request agent ReqAgt(f) for each one, via the output action create. This 
is indicated by the pseudocode “creates SIOA ReqgAgt(f)”. Upon receiving a response from the request agent, 
via input action req-agent-response, the client agent adds the response to the set resps, and subsequently 
communicates the response to the client via the response output action. It also removes all record of the 
request at this point. 


ReqAgt(f) handles the single request f, and then terminates itself. RegAgt(f) has initial location c (the loca- 
tion of ClientAgt) traverses the databases in the system, querying each database d using query,(f). Database 
d returns a set of flights that match the schedule information in f. Upon receiving this (informa(f, flts)), 
ReqAgt(f) searches for a suitably cheap flight (the Ifd € fits : fd.p < f.mp condition in informa(/, flts)). 
If such a flight exists, then RegAgt(f) attempts to buy it (buy,(f, fits) and confa(f, fd, ok?)). If successful, 
then ReqgAgt(f) returns a positive response to ClientAgt and terminates. RegAgt(f) queries each database at 
most once, and attempts to buy a ticket from each database at most once. ReqgAgt(f) can return a negative 
response if it has queried each database once and failed to buy a ticket. 
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Specification: Spec 


Signature 
Input: 
request(f), where f € F 
informa (f, fits), where d E€ D, f € F, and fits C F 
confa(f, fd, ok?), where d E€ D, f, fd € F, and ok? € Bool 
selecta(f), where d E€ D and f € F 
adjustsig(f), where f € F 
initially: {request(f) : f € F} U {selecta(f):d E D, f € F} 
Output: 
query,(f), where d E€ D and f € F 
buya(f, fits), where d E€ D, f € F, and fits C F 
response(f, fd, ok?), where f, fd € F and ok? € Bool 
initially: {response(f, fd, ok?) : f, fd € F, ok? € Bool} 
Internal: 
) 


constant 
State 
statuss € {notsubmitted, submitted, computed, replied}, status of request f, initially notsubmitted 
transf, a E Bool, true iff the system is currently interacting with database d on behalf of request f, initially false 
okfits, a © F, set of acceptable flights that has been found so far, initially empty 
resps C F x F x Bool, responses that have been calculated but not yet sent to client, initially empty 


Zf a E N, bound on the number of times database d is queried on behalf of request f before a negative reply is returned to the client, 
initially any natural number greater than zero 


Actions 
Input request(f) Input confa(f, fd, ok?) 
Eff: statuss +— submitted Eff: transy.q + false; 
if ok? then 
Input selecta (f) resps < resps U { (f, fd, true) }; 
Eff: in +} statuss + computed 
(in U {informa(f, fits), confa(fd, ok?)}) — else 
{inform y (f, fits), conf y (fd, ok?) : d’ # d}; if Vd: xq = 0 then 
Ont resps + resps U {(f, L, false) }; 
(out U {query (f), buy, (f.fa)}) — status; + computed 
{queryy (f), buyar (F, fd) : d' # d} ee 


Output query,(f) 
Pre: status; = submitted A £f, a > 0 
Eff: zf,a < 2,4 — 1; 

transf, a + true 


Output response(f, fd, ok?) 
Pre: (f, fd, ok?) E€ resps ^ status = computed 
Eff: status, + replied 


Input informa(f, fits) Input adjustsig(f) 
Eff: okfits, 4 + okflts, a U Eff: in + in— 
i {fd : fd € fits A fd.p < f.mp} {informa (f, flts), confa(f, fd, ok?)}; 
B out + out— 


Output buy, (f, fits) {querya(f), buya (f, fd)} 


Pre: status; = submitted A 
fits = okflts; a AOA trans;,a 
Eff: skip 


Figure 8: The specification automaton 
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Client Agent: ClientAgt 


Signature 
Input: 
request(f), where f € F 
req-agent-response(f, fd, ok?), where f, fd € F, and ok? € Bool 
constant 
Output: 
response(f, fd, ok?), where f, fd € F and ok? € Bool 
create( ClientAgt, ReqAgt(f)), where f € F 
constant 
Internal: 
0 


constant 
State 
reqs C F, outstanding requests, initially empty 


created C F, outstanding requests for whom a request agent has been created, but the response has not yet been returned to the 
client, initially empty 


resps C F x F x Bool, responses not yet returned to client, initially empty 


Actions 
Input request(f) Input req-agent-response(f, fd, ok?) 
Eff: reqs + reqs U {(f)} Eff: resps + resps U {(f, fd, ok?) }; 


done «+ done U {f} 
Output create(ClientAgt, ReqAgt(f)) 


Pre: f € reqs \ f Z created Output response(f, fd, ok?) 
Eff: created «+ created U {f}; Pre: (f, fd, ok?) € resps 
creates SIOA ReqAgt(f) Eff: resps + resps — {(f, fd, ok?)} 


Figure 9: The client agent 
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Request Agent: ReqAgt(f) where f € F 


Signature 
Input: 
informa(f, flts), where d € D and fits C F 
confa(f, fd, ok?), where d € D, fd € F, and ok? € Bool 
terminate(RegAgt(f)) 
initially: {moveş (c, d), where d € D} 
Output: 
query,(f), where d € D 
buy,(f, fits), where d € D and fits C F 
req-agent-response(f , fd, ok?), where fd € F and ok? € Bool 
initially: Ø 
Internal: 
moveş (c, d), where d € D 
moves (d, d'), where d, d' € D and d £ d' 
constant 


State 
location € c U D, location of the request agent, initially c, the location of ClientAgt 
status € {purchased, failed, unknown}, status of request f, initially notsubmitted 
transą € Bool, true iff ReqAgt(f) is currently interacting with database d (on behalf of request f), initially false 
D-—remaining C D, databases that have not yet been queried, initially the list of all databases D 
tkt € F, the flight ticket that ReqAgt(f) purchases on behalf of the client, initially L 
okflts4 C F, set of acceptable flights that ReqAgt(f) has found so far, initially empty 
queried,, boolean flag, true when database d has been queried, initially false. 


orderedq, boolean flag, true when a purchase order for a ticket has been submitted to database d, initially false. 


Actions 

Internal move; (c, d) Input confa(f, fd, ok?) 
Pre: location = c Eff: transa + false; 
Eff: location + d; if ok? then 

transa < true; tkt + fd; 

D-— remaining + D-—remaining — {d}; status < purchased 

in + {informa(f, fits), confa(f, fd, ok?)}; else 

out + {query,(f), buyg(f, fd), if D—remaining = Ø then 

req-agent-response(f, fd, ok?)}; status + failed 
Output query,(f) Internal move; (d, d’) 
Pre: location = d ^A d E€ D—remaining A —queried 4 Pre: location = dA d' € D—remaining ^ status = unknown 
Eff: queried, < true; Eff: location + d’; 
in + {inform 4 (f, flts), conf (f, fd, ok?)}; 

Input informa(f, fits) out + {queryy (f), buyar (f, fd), 
Eff: okfits, < okfits, U req-agent-response(f, fd, ok?) }; 


{fd : fd € fits ^A fd.p < f.mp}; 
if okflts, = 0 then 


transa + false; Output req-agent-response(f , fd, ok?) 
Pre: (status = purchased ^ fd = tkt # L A ok?) V 
Output buy4(f, flts) (status = failed A fd = L A sok?) 
Pre: location = d A fits = okflts, #0 A Eff: in + Ó; 
tkt = L A^ transa ^ 7ordereda out + 0; 
Eff: orderedg < true int — 0 


Figure 10: The request agent 
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Database: DBAgt, where d € D 


Signature 

Input: 
query,(f), where f € F and d E€ D 
buyg(f, fits), where d E€ D, f € F, and fits C F 
constant 

Output: 
informa (f, fits), where d E€ D, f € F, and fits C F 
confa(f, fd, ok?), where d E€ D, f € F, fd € F, and ok? € Bool 
constant 

Internal: 
) 


constant 
State 
receiveda C F, set of received and pending queries, initially Ø 
availa C F, set of available flights 


ordersa CF x Jr: set of pending orders, initially Ø 


Actions 
Input query4 (f) Input buy4(f, fits) 
Eff: receivedg + receiveda U {f} Eff: ordersa + ordersa U { (f, flts)} 
Output informa(f, fits) Output confa(f, fd, ok?) 
Pre: f € received A fits = {fd | conforms(fd, f)} Pre: (f, flts) E€ ordersa ^ 
Eff: skip [ (fd € fits N availa ^ ok?) V 


(fd =L A flts N availa = 0 A 70k?) | 
Eff: availa < availa — {fd} 
ordersq +— ordersa — {(f, flts)} 


Figure 11: The databse agent 
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Formally, let Impl be the configuration automaton that is “generated” by ClientAgt and all the RegAgt(f), 
i.e., the configuration automaton whose initial states correspond to the initial states of ClientAgt, and whose 
transitions are those generated by the intrinsic transitions of the configurations consisting of ClientAgt and all 
created RegAgt(f). That is, Impl is our implementation. The implementation Impl refines the specification 
Spec (provided that all actions except request(f) and response(f, fd, ok?) are hidden) since the implementation 
queries each database exactly once before returning a negative response, whereas the specification queries 
each database some finite number of times before doing so. Thus, the traces of the implementation are a 
subset of the traces of the specification: traces(Impl) C traces (Spec). 


We now apply Theorem 17 to infer traces(Impl || (||aep DBAgt,)) € traces(Spec || (\laep DBAgt,)). That is, 
including the databases in the specification and in the implementation does not invalidate the trace inclusion. 
This simplifies our reasoning, and also demonstrates our ability to handle “open” systems, in which a major 
component (i.e., the database) is left unspecified. 


Our results also enable the incremental verification of trace inclusion between specifications and their imple- 
mentations. For example, within the context of a larger system, we replace Spec by Impl, and then we apply 
Theorem 17 to infer that the traces of the resulting system are a subset of the traces of the initial system. For 
example, let Spec2 be a specification for another subsystem that provides hotel booking, and let Impl2 be an 
implementation for Spec2 such that traces(Impl2) C traces(Spec2). We apply Theorem 17 with antecedent 
traces(Impl) C traces(Spec) to infer traces(Impl || Spec2) C traces(Spec || Spec2). We again apply Theo- 
rem 17 with antecedent traces(Impl2) C traces(Spec2) to infer traces(Impl || Impl2) C traces(Impl || Spec2). 
Transitivity of C then yields traces(Impl || Impl2) C traces(Spec || Spec2), i.e., the overall implementation is 
trace-contained in the overall specification. We can repeat this as often as we like, e.g., if there is a third sys- 
tem Spec and its implementation Impl3, say for booking rental cars. Then traces(Impl3) C traces(Spec3), 
together with the above and Theorem 17, gives us traces(Impl || Impl2 || Impl3) C traces(Spec || Spec2 || Spec3). 
Thus, we can in turn replace each specification by its implementation, and have trace-containment guaran- 
teed. 


Now suppose that we replace ReqAgt(f) by another agent ReqAgt' (f) whose behavior is more constrained in 
that ReqAgt'(f) does not move arbitrarily from one database d to another d’, but selects the destination d’ 
according to a heuristic function next() that attempts to maximize the probability of finding a suitable flight. 
In other words, the precondition of moves (d, d') action is changed from location = d ^ d’ € D—remaining ^ 
status = unknown to location = dA d' € D—remaining A status = unknown ^ d’ = next(). This change 
implies that traces(ReqAgt'(f)) C traces(ReqAgt(f)) and ttraces(ReqAgt' (f)) C ttraces(ReqAgt(f)), since the 
behaviors of RegAgt'(f) are more constrained than RegAgt(f). 


Let Impl’ be the same as Impl, except that ReqAgt'(f) is created instead of ReqAgt(f). We show that all 
assumptions of Theorem 35 are satisfied. From the “initially” statements in the I/O automaton pseudocode 
in Figure 10, we see that ReqAgt(f) has a single initial state. Also, RegAgt(f) and ReqAgt'(f) destroy 
themselves using the output action req-agent-response. Hence Assumption 1 is satisfied. The only action 
that creates SIOA is an action of ClientAgt, and so Assumption 2 is satisfied. Since the initial states of 
Impl and Impl’ correspond, Assumption 3 is satisfied. Since traces(ReqgAgt'(f)) C traces(ReqgAgt(f)) and 
ttraces(ReqAgt'(f)) C ttraces(ReqAgt(f)), we have that Assumptions 4 and 5 are satisfied. Since the SIOA 
created by create(ClientAgt, ReqAgt(f)) depend only on the inputs request(f), we see that Impl and Impl!’ 
are creation-corresponding w.r.t. request agents, and hence Assumption 6 is satisfied. Hence we apply 
Theorem 35 to conclude traces(Impl’) C traces(Impl). The above results together with Theorem 17 now 
yield, for example, traces(Impl’ || Impl2 || Impl3) C traces(Spec || Spec2 || Spec). 


This example illustrates one way of satisfying the creation-correspondence requirement: the SIOA created 
depend on the sequence of inputs and outputs executed so far (in the case of this example, it depends on 
only the inputs, i.e., the client requests). 
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9 Related Work 


Formalisms for the modeling of dynamic systems can generally be classified as being based on process algebras 
or on automata/state transition systems. 


The z-calculus [26] is a process algebra that includes the ability to modify the channels between processes: 
channels are referred to by names, and a name y can be sent along a known channel to a recipient, which 
then acquires the ability to use the channel named by y. The a-calculus adopts the viewpoint that mobility 
of processes is modelled by changing the links that a process can use to communicate, to quote from [26, 
page 78]: “the location of a process in a virtual space of processes is determined by the links which it has 
to other processes; in other words, your neighbors are those you can talk to.” Process creation is given in 
the z-calculus by the ! operator: the process !P can create an unlimited number of copies of P. We can 
emulate this feature by having a configuration automaton which can create an unlimited number of copies 
of an SIOA. 


The asynchronous 7-calculus [17] is an asynchronous version of the z-calculus where receipt of a name along 
a channel occurs after it is sent, rather than synchronously, as in the original a-calculus. The higher-order 
m-calculus allows sending processes themselves as messages along channels [27]. In terms of how mobility is 
modeled, DIOA is therefore similar to the z-calculus in that we also model mobility in terms of signature 
change. 


The distributed join-calculus [13] extends the z-calculus with notions of explicit location, failure, and failure 
detection. Locations are hierarchical, and are modelled as trees. Locations reside at a physical site and can 
move atomically to another physical site, taking their entire subtree of locations with them. A failed location 
is tagged by a marker. All sublocations of a failed location are also failed. 


The Distributed a-calculus Dz [30] is another extension of the a-calculus that deals with distribution issues. 
Dz provides tree-structured locations, and each basic process (thread) is located at some location. Channels 
are also located, and a process can send a value on a channel only if it is at the same location as the channel. 
Channel and locations also have permissions associated with them, and which constrain their use. These 
constraints are enforced by a type system. 


The ambient calculus [8] takes as primitive notions agents, which execute actions, and ambients. An ambient 
is a “space” which agents can enter, leave, and open. Ambients may be nested, and are mobile. A process 
in the ambient calculus is either an agent or an ambient. The ambient calculus is intended to model, e.g., 
administrative domains in the world-wide web. 


The above process algebras have a formal syntax for process expressions, and a fixed set of reaction rules, 
which give the possible reductions between expressions. Reasoning about behaviour is carried out using 
notions of equivalence and congruence: observational equivalence, weak and strong bisimulation, barbed 
bisimulation, etc. 


DIOA makes a different choice of primitive notion, it chooses actions and automata as primitive, and does 
not include channels and their transmission as primitive. Our approach is also different in that it is primarily 
a (set-theoretic) mathematical model, rather than a formal language and calculus. We expect that notions 
such as channel and location will be built upon the basic model using additional layers (as we do for modeling 
mobility in terms of signature change). Also, we ignore issues (e.g., syntax) that are important when designing 
a programming language. Note that the “precondition effect” notation used in the travel agent example is 
informal, and used only for exposition. Reasoning about behaviour is carried out using trace substitutivity: 
the monotonicity of parallel composition, action hiding, action renaming, and SIOA creation (subject to 
technical conditions) with respect to trace inclusion. A consequence of our results is that trace equivalence 
is a congruence with respect to parallel composition, action hiding, and action renaming. 


In a joint study [2] with researchers from Nippon Telephone and Telegraph, we compare DIOA with two 
languages defined and used at Nippon Telephone and Telegraph: Erdés is a knowledge based environment 
for agent programming, and Nepi extends the z-calculus with data types. We construct a simplified version 
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of the travel agent example above, in all three formalisms. The version in DIOA appears cleaner and easier 
to read, as it is devoid of language and implementation-specific detail. The versions in Nepi and Erdés have 
the advantage of executability, and in addition Erdös supports CTL model checking [9] in the finite-state 
case. Hence DIOA can be used for the initial specification and implementation of a dynamic system, and 
our trace inclusion results used for verification of conformance of the implementation to the specification. 
Subsequently, the DIOA implementation can be translated into Nepi or Erdés, or indeed into any other 
concrete executable programming notation for dynamic systems. Alternatively, the DIOA can be compiled 
directly, as in the IOA project [15]. This approach provides the advantages of a compositional approach to 
specification, design, and implementation of dynamic systems. 


One key difference between DIOA and process algebras is that most behavioral equivalence notions for 
process algebras are based on simulation/bisimulation relations, and so entail examining the state transition 
structure of the two systems being compared. DIOA on the other hand uses trace substitutivity and trace 
equivalence, which are based only on the externally visible behavior. In practice one would use simulation 
relations to establish trace inclusion, so this difference may not matter so much, but it does provide room 
for methods of establishing trace inclusion apart from simulation relations. 


Bigraphs [28] were introduced by Milner as a model for ubiquitous computing systems containing large 
numbers of mobile agents, and are founded on two main notions: placing and linking [28, prologue]. A 
bigraph over a given set of nodes V consists of two independent (and independently modifiable) components: 
a place graph, which is a forest over V, and a link graph, which is a hypergraph over V. The place graph 
models location: nodes in a place graph are similar to ambients, and can move inside other nodes, and out 
of nodes that are ancestors in the place graph. The link graph models connectivity: hyperedges in the link 
graph represent connectivity. Unlike the process algebras discussed above, bigraphs do not come with a fixed 
set of reaction rules, and their behavioral theory is given with respect to a set of unspecified reaction rules 
[18]. 


A rough analogy can be drawn between the structure of Bigraphs and DIOA: the place graph is analogous 
to the nesting of a configuration automata inside the configuration automaton which created it, and the 
hyperedges of the link graph are analogous to actions, which can have several SIOA as participants. The 
input enabling condition destroys this analogy to some extent, but we note that we did not use input enabling 
to derive any of our results, and it can possibly be dispensed with. Detailed investigation of the relation 
between Bigraphs and DIOA is a topic for future work. 


Among state-based formalisms for dynamic models, we mention Dynamic BIP and Dynamic Reactive Mod- 
ules. Dynamic Reactive Modules [12] are a dynamic extension of reactive modules [1]. New modules can 
be created as instances of module class definitions, using a new command, as in object-oriented languages. 
The new command returns a reference to the newly created instance, which can be stored in a reference 
variable, and passed to other module instances as a parameter, upon their creation. A module instance that 
has a reference to another module instance can then read the other modules externally visible variables. 
The semantics of dynamic reactive modules are given by dynamic discrete systems [12], which extend fair 
discrete systems [19] to model the creation of module instances. 


BIP [5] is a framework for constructing systems by superposing three layers of modeling: behavior, inter- 
action, and priority (hence BIP). An atomic component is a labeled transition system extended with ports, 
which label its transitions. A (multiparty) interaction is a synchronous event which involves a fixed set of 
participating atomic components. Syntactically, an interaction is specified as a set of ports, with at most one 
port from each atomic component. Execution of a multiparty interaction involves the synchronous execution 
of a transition labeled by the relevant port in each participating component. BIP provides both syntax 
and semantics, and has been implemented in the BIP execution Engine [6]. Dynamic BIP, or Dy-BIP, [7] 
extends BIP by allowing the set of interactions to change dynamically with the current global state. The 
possible interactions in a state are computed as maximal solutions of constraints. Dy-BIP does not include 
the dynamic creation and destruction of component instances. This is for simplicity, and is not a fundamen- 
tal limitation. Dy-BIP is thus similar to our SIOA, whose signatures are functions of their state. However 
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Dy-BIP provides a syntax for writing interaction constraints, and these have been implemented in the BIP 
execution Engine. 


In summary, our model is based on the I/O automaton model [23], which has been successfully applied to the 
design of many difficult distributed algorithms, including ones for resource allocation [22, 31], distributed data 
services [10], group communication services [11], distributed shared memory [21, 25], and reliable multicast 
[20]. In our model, all processes have unique identifiers, and the notion of a subsystem is well defined. 
Subsystems can be built up hierarchically. Together with our results regarding the monotonicity of trace 
inclusion, this provides a semantic foundation for compositional reasoning. In contrast, process calculi tend 
to use a more syntactic approach, by showing that some notion of simulation or bisimulation is preserved 
by the operators that are used to define the syntax of processes (e.g., parallel composition, choice, action 
prefixing). 


10 Conclusions and Further Research 


We presented a model, DIOA, of dynamic computation based on I/O automata. The features of dynamic 
computation that DIOA expresses directly are (1) modification of communication and synchronization ca- 
pabilities, i.e., SIOA signature change, and (2) creation of new components, i.e., configuration automata 
and configuration mappings. Other aspects of dynamic computation, such as location and migration, are 
modeled indirectly using the above-mentioned features. 


For SIOA, we established standard results of (1) monotonicity of trace inclusion (trace substitutivity), and 
(2) trace equivalence as a congruence, both with respect to the operations of concurrent composition, action 
hiding, and action renaming. For configuration automata and the operation of SIOA creation, we gave an 
example showing that trace inclusion is not always monotonic with respect to SIOA creation. This is in 
contrast to most process algebras, where the simulation relation used is shown to be a congruence with 
respect to process creation. This somewhat surprising result stems from our use of trace inclusion and trace 
equivalence for relating different systems. Trace inclusion and trace equivalence abstract away from the 
internal branching structure of the transition system, and this accounts for the violation of trace inclusion 
monotonicity. We then presented some technical assumptions under which trace inclusion is monotonic with 
respect to SIOA creation. In addition to trace inclusion, we need to also assume inclusion of terminating 
traces (traces of terminating executions), along with restrictions on when the substituted SIOA can be 
created. 


Our model provides a very general framework for modeling process creation: creation of an SIOA A is a 
function of the state of the “containing” configuration automaton, i.e., the global state of the “encapsulated 
system” which creates A. This generality was useful in enabling us to define a connection between SIOA 
creation and external behavior that yielded Theorems 34 and 35. 


For future work, the most pressing concern is to devise a notion of forward simulation for DIOA, and to 
show that it implies trace inclusion. Clearly, the state correspondence must match not only the outgoing 
transitions, but also the external signatures in the corresponding states. 


We intend to investigate the relationship between DIOA and z-calculus, and to look into embedding the 
m-calculus into DIOA. This should provide insight into the implications of the choice of primitive notion; 
automata and actions for DIOA versus names and channels for 7-calculus. The work of [29], which provides 
a process-algebraic view of I/O automata, could be a starting point for this investigation. We note that the 
use of unique SIOA identifiers is crucial to our model: it enables the definition of the execution projection 
operator, and the establishment of execution projection/pasting and trace pasting results. This then yields 
our trace substitutivity result. The 7-calculus does not have such identifiers, and so the only compositionality 
results in the z-calculus are with respect to simulation, rather than trace inclusion. Since simulation is 
incomplete with respect to trace inclusion, our compositionality result has somewhat wider scope than that 
of the m-calculus. When the traces of A are included in those of B, but there is no simulation from A to 
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B, our approach will allow B to be replaced by A, and we can automatically conclude that correctness is 
preserved, i.e., no new behaviors are introduced in the overall system. 


We will explore the use of DIOA as a semantic model for object-oriented programming. Since we can express 
dynamic aspects of OOP, such as the creation of objects, directly, we feel this is a promising direction. 
Embedding a model of objects into DIOA would provide a foundation for the verification and refinement of 
OO programs. 


Agent systems should be able to operate in a dynamic environment, with processor failures, unreliable 
channels, and timing uncertainties. Thus, we need to extend our model to deal with fault-tolerance and 
timing. 

Pure liveness properties are given by a set of live traces. A live trace is the trace of a live execution, and a 
live execution is one which meets a specified liveness condition [4, 14]. Refinement with respect to liveness 
properties is dealt with by inclusion relations amongst the sets of live traces only. In [4], a method is given 
for establishing live trace inclusion, by using a notion of forward simulation that is sensitive to liveness 
properties. Extending this method to SIOA will enable the refinement and verification of liveness properties 
of dynamic systems. 
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